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DISTRIBUTED SNIFFER SYSTEM™ 


PREFACE 


Network 
General 


Preface 


About This Manual 


This manual describes the installation and configuration of the 
Sniffer® server. It also gives recommendations on fine-tuning the 
server within the system for thorough monitoring and analysis of 
your network. 


The Distributed Sniffer System consists of two types of product: 
Sniffer® servers and SniffMaster” consoles. Each server observes the 
local- or wide-area network to which it’s attached; consoles control 
servers and display the results of the servers’ activities. Some servers 
run the monitoring and analysis applications alone, while others run 
both. Other manuals describe the monitoring and analysis 
applications. 


Manuals for the Distributed Sniffer System 


Two types of manual accompany the Distributed Sniffer System. The 
primary manuals, which include this one, describe the system’s 
normal operations; the supplementary manuals describe the 
programs that configure and test the system’s various hardware and 
software components for troubleshooting. The actual manuals in your 
shipment depend on the system configuration. 
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Figure i describes the primary manuals for the Distributed Sniffer 
System. 


For Information On... 


Installing and configuring servers and | Distributed Sniffer System: 

consoles. Operating consoles. Installation and Operations 
Manual or Sniffer Server 
Installation Manual. 


Distributed Sniffer System: 
Analyzer Operations 
Manual. 


Operating the server's analysis 
functions on an Ethernet, token ring, or 
wide area network. 


Operating the server’s monitor Distributed Sniffer System: 
functions on a token ring network. Token Ring Monitor 


Using the monitor features effectively | Operations Manual. 
to detect network abnormalities. 


Operating the server's monitor 
functions on an Ethernet network. 


Using the monitor features effectively 
to detect network abnormalities. 


Distributed Sniffer System: 
Ethernet Monitor Operations 
Manual. 


Various network types and protocol 


Distributed Sniffer System: 
suites. 


Network and Protocol 
Reference. 


Figure 1. Primary manuals for the Distributed Sniffer System. 


Figure ii describes the supplementary manuals for the Distributed 
Sniffer System. 


For Information On... 


Running the adapter diagnostics to test | Token-Ring Network Guide 
the IBM 16/4 token ring adapter in the | to Operations. 
console. 


Running the diagnostics to test the NI5210 Installation Manual. 
InterLan NI5210 Ethernet controller in 
the console. 


Configuring and using the I]BM® Local | Local Area Network Support 
Area Network (LAN) Support Program, User's Guide. 
Program. 


Figure ti. Secondary manuals for the Distributed Sniffer System. 


If the product shipment includes release notes or README files on 
disks, the information in the notes or files supersedes the information 
in this manual. 
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Preface 


Audience of This Manual 


The manual has been prepared with the following assumptions: 


* You are a network manager or troubleshooter who 
understands how networks operate. 


* You are familiar with DOS. 


Organization of This Manual 


Figure iii describes the organization of this manual. 


Chapter 1, “Sniffer Provides an overview of the Sniffer 


Server Overview” server and describes its capabilities. 


Chapter 2, “Before You 
Begin” 


Describes information to know and 
actions to take before configuring and 
installing the server. 


Describes the initial configuration and 
installation of servers. 


Chapter 3, “Setting up 
the Sniffer Server” 


Chapter 4, “Configuring |Describes how to establish connections 
the Sniffer Server” between servers and consoles and then 
to use the Sniffer server configurator. 


Provides recommendations for 
systematically isolating and correcting 
problems with your Sniffer within the 
Distributed Sniffer System. 


Appendix A, 
“Troubleshooting 
Guide” 


Describes each of the tools and utilities 
provided to help you troubleshoot and 
fine tune your Sniffer within the 

Distributed Sniffer System. 


Appendix B, 
“Troubleshooting and 
Fine Tuning Utilities” 


Discusses recommendations for keeping 
a detailed and accurate record of your 
Sniffer server. 


Appendix C, 
“Configuration Record” 


Figure iti. The organization of the manual, Distributed Sniffer System: 
Server Installation Manual. 


Navigational Aids Used in This Manual 


To help you find procedures easily, a separate list of procedures is 
provided in this manual in addition to the Table of Contents and List 
of Figures. Also, the “Recommendation” entries in the Index point 
you to suggestions for getting the most from your Distributed Sniffer 
System. 
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ees 
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This manual uses icons in the margin to help you locate important 
information as explained below: 


The paragraph next to this icon contains information that is especially 
important. Read it carefully before you proceed. 


A warning gives you instructions that you must follow to avoid 
possible damage to data files, program files, or hardware devices. 


A cautionary paragraph provides information that you need to avoid 
injury to yourself or others. 


A recommendation describes a useful and valuable way of using the 
products. 


A procedure is a series of steps for accomplishing a particular task. 


Conventions Used in This Manual 


Special Notations 


xii 


The following describes the conventions used in this manual: 
Bold Menu options are in bold type. For example: 
Move to Display, and press Enter. 


UPPERCASE Filenames and commands you type at a DOS 
prompt are in uppercase. For example: 


Modify the AUTOEXEC.BAT file if necessary. To 
duplicate the file, use the COPY command. 


Bold italics Variables, for which you insert values, are in 
bold italics. For example: 


Type the number of minutes and seconds in the 
mmi:ss format. 


Screen font Screen messages are printed in monospaced font. 
For example: 


If a monitoring session is in progress, the 
following message appears: 


You must stop monitoring before you can use this feature. 


ITEM1\ITEM2 A menu title made up from the succession of 
menu items chosen to get to the submenu. For 
example, to choose the Interval for a rotating 
carousel display, you would go to the Screen 
Carousel \ Rotating Display menu. 


Terminology 


Preface 


Hexadecimal numbers in the manual are followed by “(hex)”; 
numbers without any notations are decimal. For example, “The 
maximum number of stations is 75. The default memory address is 
D8000 (hex).” 


The terms “monitor” and “analyzer” refer to software applications 
that run on token ring or Ethernet Sniffer servers. The term “console” 
refers to control and display software running on a dedicated PC. 


Screen Displays and Keyboard Input 


Enter all the keystrokes mentioned in the manual from the 
SniffMaster console. Similarly, all the screen displays generated by a 
server appear on the console’s screen. 


The screen displays in this manual may not be identical with what you 
see on your console screen. For example, you can choose to have the 
console show the server name on each monitor display, but the 
screens in this manual do not show the name. 


Other Sources of Information 


On-Line Help 


Tutorial 


Network General Corporation (NGC) provides other sources of 
information that can help you get familiar with the Distributed Sniffer 
System. 


After highlighting an item in a console, analyzer, or monitor menu, 
you can see a phrase or sentence in a panel near the bottom of the 
screen. It explains the meaning of the highlighted item. 


To obtain general information about a particular feature of the 
Distributed Sniffer System, press F1 at any time. A window 
containing a list of topics opens. If you are displaying a monitor 
statistics screen, pressing F1 gives you information on the current 
screen. 


NGC distributes a booklet with an accompanying diskette entitled 
Real Networks, Real Problems. It presents case studies using data 
captured with a Sniffer network analyzer from four different 
networks. The Sniffer analyzer and the server's analysis application 
have different capabilities, but the case studies allow you to see how 
investigation of a network problem proceeds. 
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You can obtain the tutorial free of charge from any of the company’s 
sales representatives or directly from NGC. 


Technical Support 


A toll-free number is available to obtain technical support for the 
Distributed Sniffer System. Before calling, however, please check 
Appendix A., “Troubleshooting Guide.” You will find tips for 
troubleshooting your system before requesting help as well as 
information you will need to provide when you do request help. 
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CHAPTER ONE: SNIFFER SERVER OVERVIEW ‘ 


General 


Chapter 1. Sniffer Server Overview 


Chapter Overview 


This chapter summarizes the role of the Sniffer server in Network 
General's Distributed Sniffer System, describes the important 
software and hardware elements in each of the servers and consoles, 
and shows several ways that servers can be deployed within a system. 


The Server’s Role in the Distributed Sniffer System 


A Sniffer server is one of the two basic parts of the Distributed Sniffer 
System. One part is the network monitoring and analysis tool known 
as the Sniffer server. Servers are controlled by SniffMaster consoles. You 
can see a simple Distributed Sniffer System illustrated in Figure 1-1. 


nnn =) 
PETITE 


Sniffer Server SniffMaster Console 
Figure 1-1. Basic Distributed Sniffer System components. 


Servers are small and powerful computers with special applications 
software and hardware components that allow them to communicate 
with consoles, to collect statistics from the network, and to capture 
frames. They provide the processing power to give you a 
sophisticated view of your network, its problems and trends. You can 
have up to two consoles viewing and controlling one server. 


Consoles connect to your servers and allow you to observe your 
network and control the servers’ activities. They are also computers 
with a special software application and a board for communicating 
with servers. A console’s display not only lets you inspect the 
individual Ethernet® segments, token rings, and wide area network 
(WAN) links to which servers are connected but also provides global 
information on your entire network. 
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You can set up the Distributed Sniffer System components on 
different segments, rings, and links of your network. Theoretically, 
you can have any number of SniffMaster consoles attached to 
different segments or rings, but no more than two consoles can 
simultaneously control any one server. The number of Sniffer servers 
you can control from one console will vary according to the 
configuration of your particular Distributed Sniffer System. 


Server and Console Software and Hardware 


Sniffer Servers 


14 


This section briefly describes internal components that servers use to 
perform their monitoring and analysis tasks and that both servers and 
consoles use to communicate with one another. 


Sniffer servers contain network monitoring and analysis applications 
software (Figure 1-4). In addition, they each have a powerful 
microprocessor, a hard disk, and two network interface cards (NIC): 
the Monitor Card and the Transport Card. 


The Monitor Card is used for analyzing or monitoring network 
traffic—e.g., collecting data from which statistics are calculated, 
setting off alarms, and capturing frames for analysis. When connected 
to the SniffMaster console, a server regularly transmits what it knows 
about its network to the SniffMaster console via the Transport Card. 


Monitoring/Analysis Software 


Monitor Card Transport Card 


Sniffer Server 


Console Software 


SniffMaster Console 


Figure 1-2. Internal elements of the basic components used in the 
Distributed Sniffer System. 


Sniffer server software applications are of two types: 
* Monitoring application 
* Analysis application. 


A monitoring application—that is, the network monitoring program 
installed either in a Sniffer monitor server or in a Sniffer analysis 
server—continuously maintains a set of real-time counters, charts and 
summaries of network activity. A monitor continuously scans a list of 
possible warning thresholds and transmits alarms to the console 
when they’re encountered. 


An analysis application—that is, the network analyzing program 
installed in a Sniffer analysis server—records and interprets network 
transmissions. The work of analysis occurs in two stages: 


S 
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Capture: The analyzer records network traffic for later 
interpretation. Capture can be filtered to record only 
traffic meeting certain criteria. Capture can be frozen 
when a triggering condition is observed to assure that 
the retained sample includes traffic just before or after 
the event of interest. 


Display: The analyzer interprets the recorded traffic. During 
display, the analyzer decodes the various layers of 
protocol in the recorded frames and displays them as 
English abbreviations or summaries. The analyzer can 
filter the display to show only those frames that meet 
certain criteria. 


SniffMaster Consoles 


The SniffMaster console uses its own Transport Card to receive 
network information from the Sniffer servers (Figure 1-4). It displays 
that information on its own display as screens of individual servers, 
or it consolidates information—for example, alarms signalling 
problems and other significant conditions on different network 
segments and rings—from all connected servers. 


The user also controls the servers from the console. The console 
transmits keystrokes entered on its keyboard to servers to start and 
stop functions, to reformat displays, or to change applications. 


Protocol Layers in Servers and Consoles 


Servers and consoles talk to each other using a transport protocol. 
Figure 1-3 shows the possible protocol and network interface 
combinations used in servers and consoles. 


POSSIBLE PROTOCOL COMBINATIONS 


LAYERS Console or 
monitoring/ 
analysis 
software 


Application 


Program Interface 


Transport 


Physical 


Figure 1-3. Protocol layers used in servers and consoles. 
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The transport layer you choose is very important. Transport protocols 
make communication between consoles and servers possible in a 
distributed environment. In the Distributed Sniffer System, the three 
transport protocols available are NetBEUI, Novell’s IPX, and TCP/IP. 
It is necessary that all servers and consoles in one Distributed Sniffer 
System use the same transport protocol. 


Sniffer Server Deployment 


1 
=I 


Figure 1-4 shows you several possible ways to deploy servers within 
a Distributed Sniffer System. Your Sniffer servers can keep an eye on 
Ethernet, token ring, or WAN traffic. Each Sniffer server sends what 
it sees in the traffic it observes to the SniffMaster console through a 
TCP/IP, IPX, or NetBEUI connection over Ethernet or token ring. 


Server 1 Server 2 


TT [—| 


oe) Sees 
Server 3 Server 4 


Server 6 


[1 


Le nn 
ae 


=n ~©6=- Server Server 8 


Bridge/Router 


Figure 14. Examples of Sniffer server deployment. 


Figure 1-4 shows a number of the possible ways of linking Sniffer 
servers and SniffMaster consoles to make a Distributed Sniffer 
System. Servers 1 and 5 are connected to the same token ring as one of 
the consoles. Server 1 observes that ring whereas Server 5 observes the 
WAN link. Server 6 observes yet another ring and can communicate 
with the console through a bridge or router. Servers 2 and 3 are 
connected to the same Ethernet segment. Server 2 observes that 
segment while Server 3 observes a WAN link. Both can communicate 
with the first console via the WAN or with the second console via a 
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bridge or router. Server 8 observes a token ring and can be controlled 
by either console via the WAN. 


DISTRIBUTED SNIFFER SYSTEM™ 


CHAPTER TWO: BEFORE YOU BEGIN ? : 


General 


Chapter 2. Before You Begin 


Chapter Overview 


This chapter provides unpacking instructions, first time precautions, 
the system requirements, a list of documentation, and advice on 
protecting your server. 


Unpacking 
Unpack the server from its carton. The items in the carton include: 
* Sniffer server 
* Keyboard terminators 


* WAN server only: an interface pod and cable and a DB-25 cable 
with three connectors 


* Documentation 
* License agreement 
+ Warranty registration cards 


* Configuration sheet describing the specific configuration for 
the server. 


* Packing list describing all items included in the shipment; 
there’s an identical one in each box. 


Verify the items you received against the packing list. 


Read the license agreement. If you cannot accept its terms, go no 
further! You have three days to put everything back into the box and 
to return the items. When you connect a server to a power outlet, you 
are signaling that you accept the terms of the license agreement. 


Fill out the warranty registration cards, and return them to Network 
General Corporation. 


First Time Precautions 


When you've completed the installation and configuration of a Sniffer 
server, you will want to back up certain files on the server’s hard disk 
(see “To back up critical files on a newly installed, configured, and 
connected Sniffer server:” on page 2-8). 


Also note that the server comes with a label attached to the bottom 
with important information about the unit, for example, serial 
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number, hardware address, and so on. There are also extra labels with 
the same information on them. When you put a server on a rack or in 
a closet, you will want to put an extra label in a highly visible place so 
that you can identify the unit and refer to the information whenever 
you want. Also, you will want to record the information in some other 
place. See Appendix C, “Server Configuration Record.” 


The Sniffer Server 


Components 


2-4 


Three combinations of applications software are available on Sniffer 
servers: 


* Monitoring-only 
* Analysis-and-monitoring 
* Analysis-only. 


All servers are available only as turnkey systems. They come with 
various combinations of NICs and transport protocols. 


The Sniffer server comes equipped with the following hardware and 
software components: 


* Server chassis with power supply. 
* Intel 80386sx microprocessor. 


* IMByte of RAM for monitoring-only servers; 5MByte of RAM 
for analysis and monitoring servers and for analysis-only 
servers. 


* 40MByte hard disk. 
* Two serial interface ports: COM1 and COM2. 
* Parallel interface port: LPT1. 


* Sniffer monitoring or analysis applications software installed 
at the factory. 


¢ TwoISA bus 16-bit interface card slots. 


* Two NICs. One is the Transport Card for server-console 
communications; the other is the Monitor Card for monitoring 
and/or analyzing. 


* Transport protocol software. 


* WAN server only: an interface pod and cable and a DB-25 cable 
with three connectors 


Configurations 


The two major configuration dimensions for servers are network type 
and transport protocol. Monitoring-only and analysis-and-monitoring 
servers can observe either Ethernet or token ring. Communication 
with consoles must be over the same network type. Analysis-only 
servers can analyze WAN traffic and use either Ethernet or token ring 
to communicate with consoles. All the servers and consoles in your 
Distributed Sniffer System that you want to communicate with one 
another must have the same transport protocol. 


The table in Figure 2-1 shows the four possible configurations for the 
monitoring-only server. 


Monitor Card Transport Card | Transport Protocol 
Ethernet: InterLan Ethernet: InterLan Novell IPX 
NI5210 NI5210 
Ethernet: InterLan Ethernet: InterLan TCP/IP 
NI5210 NI5210 


Token ring 16/4 Token ring 16/4 Novell IPX 
Token ring 16/4 Token ring 16/4 IBM NetBEUI 


Figure 2-1. NIC and transport protocol combinations for the monitoring- 
only Sniffer server. 


The table in Figure 2-2 shows the four possible Sniffer analysis-and- 
monitoring server configurations. 


Monitor Card Transport Card | Transport Protocol 
Ethernet: 3Com Ethernet: InterLan Novell IPX 
3C505 NI5210 
Ethernet: 3Com Ethernet: InterLan TCP/IP 
3C505 NI5210 


Token ring 16/4 Token ring 16/4 Novell IPX 
Token ring 16/4 Token ring 16/4 IBM NetBEUI 


Figure 2-2. NIC and transport protocol combinations for the Sniffer 
analysis-and-monitoring server. 


The table in Figure 2-3 shows the four possible Sniffer analysis-only 
server configurations. 
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Front Panel 


Monitor Card Transport Card | Transport Protocol 


WAN Ethernet: InterLan Novell IPX 
NI5210 

WAN Ethernet: InterLan TCP/IP 
NI5210 


Token ring 16/4 Novell IPX 
Token ring 16/4 IBM NetBEUI 


Figure 2-3. NIC and transport protocol combinations for the Sniffer 
analysis-only server. 


Sniffer servers come equipped with several LED indicator lights and 
a switch on the front panel. You can see them in Figure 2-4. 


Fixed Disk Lamp Power Lamp 


Power Switch 


Back Panel 
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Figure 2-4. Sniffer server front panel. 


Fixed Disk Lamp Indicates that hard disk is being accessed. 


Power Lamp Green indicates operation with higher 
processor speed. Red indicates slower 
processor speed. 


Power Switch Push once to switch on. Push again to 
switch off. 


Sniffer servers come equipped with several controls and connectors 
on the back panel. You can see them in Figure 2-5. 


Voltage Selector Monitor Card Transport Card 


Power 


Documentation 


Keyboard Serial Serial Parallel Port 1 
Terminator COM2 COM1 (Centronics) 
DB-9 DB-25 


Figure 2-5. Sniffer server back panel. 


Transport Card NIC used for communicating with the 
SniffMaster console. 


Monitor Card NIC used for observing traffic on, and 
capturing traces from, a network. 


Voltage Selector Set correctly for the local electrical supply: 
115, nominal voltages 100 to 125 Vac 
(standard for U.S.); 230, nominal voltages 
220 to 240 Vac. 


AC Power Use to connect the AC power cord to the 
system unit. 


Keyboard Terminator You must put this in place after receiving 
the unit. Always keep the keyboard 
terminator in place. The server will not 
function properly without it. 


Serial Connectors Two serial connectors: one DB-9 for COM 
port 2 and one DB-25 for COM port 1. Use 
to connect the signal cable of a serial printer 
or any other RS-232 device. 


Parallel Port Connector for parallel port 1. Use to connect 
the signal cable of a parallel printer or any 
other parallel (Centronics) device. 


In addition to the manual you’re now reading, the following 
publications will also help you get the most from the Distributed 
Sniffer System: 


* Distributed Sniffer System: Analyzer Operations Manual 
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* Distributed Sniffer System: Token Ring Monitor Operations Manual 
* Distributed Sniffer System: Ethernet Monitor Operations Manual 
* Distributed Sniffer System: Installation and Operations Manual 


Protecting Your Server 


This section explains a precaution you should take before using your 
server. You can easily protect yourself from a disaster with some 
advance preparation. 


Remember to transfer periodically certain vital files on each Sniffer 
server to a SniffMaster console hard disk. Some of these files are 
identical on all servers of the same type, and some are different: 


Files in the root directories of all servers: 


CONFIG.SYS 
AUTOEXEC.BAT 


Files in the xxSNIFF directories of all servers (in this case, xx 
can be either EN or TR): 


STARTUP.xxD 
STARTUP. xxl 
STARTUP.xxS 


Files in the IPXEN directory of an Ethernet server or the 
IPXTR directory of a token ring server using Novell’s IPX 
transport protocol: 


SHELL.CFG 
Files in the WINTCP directory of an Ethernet server using 
the TCP/IP transport protocol: 


WINTCP.SYS 
SNMP_NGC.CFG 


KO To back up critical files on a newly installed, configured, and 
OD) connected Sniffer server: 


1. On the console, create a set of directories in advance in which 
to store the files you will back up from each server. You may 
want to have one directory per server. 


2. Inthe Server Status display, use the Cursor keys to highlight 
the Sniffer server from which you want to copy files. 


3. Press F8 (Server screen) to view the Sniffer server. 


4. Use the Cursor keys to highlight the File Transfer Utility item 
on the Main Selection Menu (Figure 2-6). 


as 


Server “RnD": Fil for list, Fi2 for menus 


tn 
Sniffer Server 


(C) Copyright 1998-1991, Network General Corporation 


ain selection menu: 
Ethernet Monitor File Transfer Utility 
Ethernet Analyzer onfigure Server 
Ethernet Analyzer Exit to the Operating System 


Run the Sniffer Server file transfer utility. 


Ise arrow keys to select, then press Enter.—=== 


Figure 2-6. File Transfer Utility item on the Main Selection Menu. 


* Ifthe analyzer or monitor application is running, you must 
exit the application to the Main Selection Menu. 


* If the Sniffer server is at the DOS prompt, you can type 
MENU at the prompt, and press Enter. 


5. Press Enter. 


Result: The Sniffer server will install the Server File Transfer 
Utility. 


Note: This is the condition in which you must leave the Sniffer 
server in order carry out any transfer. Press the Esc key to 
terminate the file transfer utility. 


6. Press F11 (List) to return to the Server Status display. 
7. Highlight the new server on the list. 
8. Press F3 (Miscellaneous control). 


Result: The Miscellaneous Control menu with the name of the 
Sniffer server in the upper left-hand corner appears (Figure 2—- 
7). 
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SERVER STATUS, sorted by server name 14:55:49 


Server Current Monitor's Transport Messages 
name status alarm address exchanged 


Finan Logged off 15.8.184.22 
"RedWind666" 


HMM Update server software 
Transfer file to console 
ransfer file to server 


Reboot the server 


se { and t and ENTER, or ESC to exit: 


se arrow keys to scroll, ESC to terminate. 


Figure 2—7. Miscellaneous Controls menu. 


Lt 


10. 


11. 
12. 


13. 
14. 


On the Miscellaneous Control menu, use the Cursor keys to 
move the highlight to the item, Transfer file to console. 


Press Enter. 


Result: The field for entering the source filename appears. 


Type in the source filename on the Sniffer server. 
Press Enter. 


Result: The field for entering the destination filename appears. 


Type in the destination filename on the SniffMaster console. 
Press Enter. 


Result: The message, “Uploading [filename],” appears during 
the transfer process. 


You may get one of several messages after the transfer process. 
See the table in Figure 2-8 for information on their meaning 
and further user actions. 
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“Transfer completed” Press any key to return to the 
Miscellaneous Controls menu. 

“Timeout” Try again. Increase the 
“timeout” value at the server. 


“Transfer failed at the console—__| Wrong path or filename. You 
file not found” must specify the console drive. 


“Transfer failed at the console—__| File Transfer Utility not 
network timed out” installed. Go to Server’s Main 
Selection Menu. 


Figure 2-8. Messages and user action during file transfer. 


The File Transfer Utility is still loaded at the Sniffer server. To 
terminate the File Transfer Utility when you are finished, return to the 
server, and press the Esc key. 
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DISTRIBUTED SNIFFER SYSTEWM™ 


CHAPTER THREE: SETTING UP THE SNIFFER SERVER 3 


Network 


Chapter 3. Setting up the Sniffer Server 


Chapter Overview 


Installation and configuration of the Sniffer server is a two-stage 
process. This chapter explains the first stage. Chapter 4 covers the 
second stage. 


This chapter is divided into three parts. The first part includes the 
basic steps for setting up any type of server no matter what transport 
protocol you are using or what network interface cards are installed. 
The second part includes specialized procedures for particular 
transport protocols. Finally, the third part includes information about 
configuring and connecting particular network interface cards. 


Initial Configuration and Installation 


This section describes the first stage in setting up your server. Sniffer 
servers come almost ready to go. There are a few things you'll need to 
do to set them up: 


Attach the Keyboard Terminator. A keyboard terminator is 
packed with each server. It looks like a small red thimble. 
You'll need to insert it into the back of the server. Sniffer 
servers will not operate correctly without the keyboard 
terminator. A spare is included for your convenience. 


Configure Transport Protocol (TCP/IP only). You need to 
do this only if the information was not preconfigured at the 
factory or if some of the information has changed since the 
initial configuration. The Sniffer Server Initialization Program 
lets you enter the IP address, the subnet mask, the default 
gateway address, and SNMP trap targets. 


Connect the Transport and Monitor Cards. Each Sniffer 
server has two network interface cards (NIC). One NIC, the 
Transport Card, is for SniffMaster console communications; 
the other, the Monitor Card, is for observing a network. Sniffer 
servers can observe and communicate with the SniffMaster 
console on the same network. Sniffer servers can also observe 
on one network segment, ring, or link and communicate with 
the SniffMaster console on another network segment, ring, or 
link. 


Check the Server Diagnostics. Each Sniffer server has a 
built-in diagnostic program that runs automatically on startup. 
It uses distinctive beeps to tell you that it is functioning 


properly. 
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To set up a Sniffer server: 


uF 


Attach the keyboard terminator to the back of the unit (see 
Figure 2-5). 


Note: The keyboard terminator looks like a small red thimble. 
It must be in place for a server to work. It is packed separately 
to prevent damage to the server. 


Are you using TCP/IP as your transport protocol? 
* If yes, see “Configuring TCP/IP” on page 3-6. 
* Ifno, go on to the next step. 


Check the configuration sheet that accompanied your server. 
Are the Transport and Monitor Cards configured correctly for 
your type of network? 


* If token ring, the card data rate will be preconfigured for 
either 16Mbps or 4Mbps. However, if this isn’t correct, you 
can find instructions for changing the configuration in “16/ 
4 Token Ring Network Interface Card” on page 3-12. 


A mismatch of data rate setting on the token ring card with 
the data rate of the network will bring down your network. 


* If Ethernet, the card will be preconfigured for either “Thick 
Ethernet” or “Thin Ethernet.” However, if this isn’t correct, 
you can find instructions for changing the configuration in 
“Thick or Thin Ethernet” on page 3-15. 


Connect the server’s Transport Card to the network. Do you 
have token ring or Ethernet? 


* Iftoken ring, you can see the token ring connector in Figure 
3-11. 


* IfEthernet, you can see the Ethernet connectors in Figure 3- 
12. Furthermore, if you have an Ethernet transceiver cable 
that is designed for lockposts, you may need an adapter 
plate to secure it to the server’s Transport Card. 
Instructions for this are in “Securing an Ethernet DB-15 
Connector to the Unit” on page 3-19. 


Connect the server’s Monitor Card to the network. Do you 
have token ring, Ethernet, or WAN? 


* Iftoken ring, you can see the token ring connector in Figure 
3-11. 


If Ethernet, you can see the Ethernet connectors in Figure 3— 
12. Furthermore, if you have an Ethernet transceiver cable 
that is designed for lockposts, you may need an adapter 
plate to secure it to the server’s Transport Card. 
Instructions for this are in “Securing an Ethernet DB-15 
Connector to the Unit” on page 3-19. 


If WAN, you can see the WAN connector in Figure 3-13. 
Special instructions for connecting can be found in “WAN 
Server” on page 3-21. 


6. Power on the Sniffer server. 


7. Check the built-in server diagnostics to verify that it started up 
correctly: 


a. 


Listen for the first beep. This indicates that the hardware 
POST (Power-On-Self-Test) has been completed 
successfully. 


Listen for a second audible signal, Checkpoint 1. This signal 
consists of one beep and indicates that the server’s 
operating system environment has been set. 


Listen for a third audible signal, Checkpoint 2. These two 
beeps indicate that memory is initialized. 


Listen for the fourth audible signal, Checkpoint 3. The three 
beeps indicate that the communications software has been 
installed. 


Listen for the final musical chime. It tells you that the server 
is ready. 


Note: If the server failed at any of these checkpoints, check 
the procedures in Appendix A, “Troubleshooting Guide.” 


8. Continue on with Chapter 4., “Configuring the Sniffer Server.” 


Transport Protocols 


In this section, you'll find instructions for configuring the transport 
protocol installed on your SniffMaster consoles and Sniffer servers. 
The protocols covered are: 


+ “TCEIP 
* NetBIOS/NetBEUI 
* NetBIOS/IPX 
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Configuring TCP/IP 
LON 
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This section explains how to configure the TCP/IP protocol software. 
You must enter an IP address, IP subnet mask, and IP gateway for a 
server. Also, you can specify SNMP trap targets that let servers direct 
alarm information to SNMP Network Management Stations. 


You will use the IP Initialization Program. This utility has two 
additional uses not described in this section: setting the number of 
connections to a unit and setting the TCP window size. You can find 
additional information on the uses of this program in Appendix B, 
“Troubleshooting and Fine Tuning Utilities.” 


Servers are very powerful and compactly-built computers. To 
configure TCP/IP protocol software on the server's hard disk, you'll 
need to attach a terminal or a PC running a terminal emulation 
program. Then you'll configure the TCP/IP protocol software using 
the attached terminal. 


Included with the SniffMaster console software is the terminal 
emulation software. You can use this package when using the console 
to configure TCP/IP on servers. 


To attach a PC or terminal to a Sniffer server: 


1. Attach one end of a null modem cable to the server's COM1 port 
(Figure 2-5) using the DB-25 connector. 


Note: Network General includes a null modem cable with each 
SniffMaster console. It is a special cable that allows two PCs to 
be directly connected. 


Note: You probably will never have to adjust the COM port 
parameters for a server. In the event that you do, see 
“IOFORK.SYS Utility” on page B-11. 


2. What are you using as an external terminal to the server? 


* If you're using a SniffMaster console, attach the other end 
of the cable to the asynchronous communications interface 
(COM port 1) on a SniffMaster console. 


* Ifyou’re using a ASCII terminal, attach the other end of the 
cable to the serial port on an ASCII terminal. 


Note: The required settings are: 9600 baud, no parity, 8 data 
bits, and 1 stop bit. 


* If you’re using a PC running terminal emulation software, 
attach the other end of the cable to the COM1 port on a PC 
running terminal emulation software. 


3. Enter terminal emulation mode if you've attached the 
SniffMaster console or a PC to the server: 


* If you're using the console, follow the steps in the next 
procedure. 


* If you're using some other terminal emulation software, 
you'll need to refer to its documentation for specific 
instructions. 


KAN To enter terminal emulation mode using a SniffMaster console: 
QY 1. Power on the SniffMaster console. 
Exit the SniffMaster console software. 


At the DOS prompt, type CD C:\CONSOLE\R2CALL. 


2 

3 

4. Press Enter. 
5. At the prompt, type RACALL. 
6 


Press Enter. 


Result: The Dialing Directory screen appears (Figure 3-1). 


Remote’ Call Press [ZVGSUN for help Dialing directory 


Name Description Phone number 


NORMAL New entries start with these defaults 
SERVER Configure Sniffer Server Via Com 


2 of 2 = 

Press | PgDn | Ly - to select an entry, or 
call SERVER Delete SERVER 
configure Your system change Setup for SERVER 
Quit; return to DOS create a New entry 


Figure 3-1. The Dialing Directory screen. 


7. Press the Cursor Down key to highlight the name SERVER in 
the extreme left hand column. This is an R2CALL profile that 
has been pre-configured with the proper settings to 
communicate with COM1 of the server. 


8. Press Enter. 


Result: A blank screen appears. You are now in terminal 
emulation mode. 
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To configure the TCP/IP protocol software on the server: 


1 


Power on the Sniffer server. 


Result: You will hear and see a sequence of diagnostic tones 
and messages. They will let you know whether or not the 
server is functioning normally. 


Check the built-in server diagnostics to verify that it started up 
correctly: 


a. Listen for the first beep. This indicates that the hardware 
POST (Power-On-Self-Test) has been completed 
successfully. 


b. Listen for a second audible signal, Checkpoint 1. This signal 
consists of one beep and indicates that the server's 
operating system environment has been set. 


c. Listen for a third audible signal, Checkpoint 2. These two 
beeps indicate that memory is initialized. 


Note: If the server shipped without a IP address, it will stop 
at the Initialization Program Menu at (Figure 3-2) this point 
and will not allow you to go any further until you specify 
an IP address. 


Note: After you configure a server and reboot, you will 
have five seconds to hit any key to pause. Then you can 
change the configuration values for a TCP/IP Sniffer 
server. 


d. Listen for the fourth audible signal, Checkpoint 3. The four 
beeps indicate that the communications software has been 
installed. 


e. Listen for the final musical chime. It tells you that the server 
is ready. 


Note: If the server failed at any of these checkpoints, check 
the procedures in Appendix A, “Troubleshooting Guide.” 


If the server was shipped with an IP address, look for the 
Sniffer server IP Initialization Program Menu on the console 
screen (Figure 3-2). 


Note: The server will pause automatically after the third 
audible signal if you need to configure the TCP/IP protocol 
software. After you configure a server and reboot, you will 
have five seconds to hit any key to pause. Then you can change 
the configuration values for a TCP/IP Sniffer server. 
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Network General IP initialization program. Version 9.97 
(C) Copyright 1991, Network General Corporation 
Using wintcp info file C:\wintcp\wintcp.sus 


If you change any settings, this system will optionally reboot when you quit. 


Ipinit commands (and current settings) : 
address - Set IP address {currently set to @. 
subnet  - Set IP subnet mask {currently set to @. 
0.8 
none] 


gateway - Set default IP Gateway {currently set to 
targets - Set SNMP trap targets {currently set to 
help - Display this menu 

quit - Exit to DOS 

update - Save changes 


0.8.8) 
0.8.0) 

8.8) 
ni 


Internet address must be set to proceed. 


Ipinit> 


Figure 3-2. Sniffer server IP Initialization Program Menu as it appears on 
the SniffMaster console running terminal-emulation software. 


Figure 3-2 shows a menu that lets you set up to four options 
with the Sniffer server IP Initialization Program Menu. The 
table in Figure 3-3 lists and describes the options available on 
the menu: 


Sets the IP address. 


subnet Sets the IP subnet mask. Subnet masks let you 
partition your network and, thereby, allow more 
address assignments. 


Sets the default IP gateway. 


targets Defines the IP address or addresses to which 
Simple Network Management Protocol (SNMP) 
traps generated by this server will be sent. 
To interpret the SNMP traps at the target Network 
Management Station, see the Distributed Sniffer 
System: Installation and Operations Manual 


Figure 3-3. Options on the Sniffer server IP Initialization Program Menu. 


4. To change a setting: 


a. Type the first letter of the appropriate command, for 


example, “a” for address. 


b. Press Enter. 
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Result: The program will provide you with further 
instructions and information for changing the setting. 


Note: If you ever want to start the IP Initialization Program 
from the server’s DOS prompt, type 


C:\ipinit -p 
You will get the standard Sniffer server IP Initialization 


Program menu that includes options for address, subnet 
mask, and targets. 


5. Write the address, subnet mask, gateway, and targets of each 
Sniffer server in your Distributed Sniffer System records. See 
Appendix C, “Configuration Record.” 


“ow 


6. Press “u” to update changes. 


“l wy 


7. Press “q” to quit the program. 

8. Press any key to confirm intention to exit and to reboot. 
Note: You must reboot to install the new configuration. 

9. Power off the server. 


10. Continue on with Step 3. on page 3-4. 


Two Examples 


Figure 3-4 provides an example for changing settings on a Sniffer 
server with TCP/IP. 


(C) Copyright 1991, Network General Corporation 
Using wintcp info file C:CONSOLE\wintcp\wintcp.sys 


If you change any settings, this system will optionally reboot when you quit. 


Ipinit commands (and current settings) : 

address - Set IP address {currently set to @. 
subnet = -- Set IP subnet mask {currently set to @. 
gateway - Set default IP Gateway {currently set to 9. 
targets - Set SNMP trap targets {currently set to n 
help - Display this menu 

quit - Exit to DOS 

update §_ - Save changes 


Internet address must be set to proceed. 


Ipinit> address 

Enter an IP address or Enter to cancel. 

Example IP address: 192.12.8.59 

> 192.19.8.33 

default subnet mask is 255.255.255.8 (24 bits). Press return if OK, or 
enter new number of subnet bits: 

Ipinit> update 

saving changes to NGC server configuration.... 

System will reset when you quit this program. 

Ipinit> quit 


Figure 3-4. Example of changing settings on a Sniffer server with TCP/IP. 


$10 eq 


At the Ipinit> prompt, we entered the address command. The 
program told us to enter an IP address or to press Enter to cancel the 
procedure. We were also given an example of an IP address. After 
entering a new IP address of 192.19.0.33, the program informed us of 
the default subnet mask and asked if that was acceptable or did we 
want to enter a new one. We pressed Enter to verify that it was 
acceptable. When the Ipinit> prompt reappeared, we entered the 
update command and then the quit command. The program 
automatically rebooted the Sniffer server when we pressed any key. 


address - Set IP address Ccurrently set to 192.42.252.91] 
subnet  - Set IP subnet mask {currently set to 255.255. 255 .@] 
gateway - Set default IP Gateway {currently set to 192.42.252.32] 
targets - Set SNMP trap targets {currently set to 2 trap targets] 
help - Display this menu 

quit - Exit to DOS 

update § - Save changes 

hit any key (within 5 seconds) if you want to change anything: 

Ipinit> targets 

Edit trap target list. Current list: 

1 - 192.42.252.1..... community name: public 

2 - 192.42. 252.32 community name: traps 

Options are A(dd), D(elete), Q(uit): a 

Enter IP address to add to list: 192.42.252.86 

Enter community name for target (or Return for default ‘public’: 

Edit trap target list. Current list: 

T= 19204252521. os community name: public 

2 - 192.42.252.32 community name: traps 

3 - 192.42.252.86 community name: RnD 

Options are A(dd), D(elete), Q(uit): q 

Ipinit> quit 

Save changes before exiting? (y/n) 

Saving changes to NGC server configuration... 


System will reset when you quit this program. 
Changes saved. Press Esc to abort, any other key to reboot system. 


Figure 3-5. Adding a new SNMP trap target to direct alarm information to 
a Network Management Station. 


Figure 3-5 shows an example of adding an SNMP trap target. As you 
can see, the Sniffer server was set up for two trap targets when the 
Sniffer server IP Initialization Program Menu displayed. We entered 
the command, targets, and the program showed the current trap 
target list. We opted to add a new trap target to the list by entering an 


a” at the prompt. The program prompted us first to enter the IP 
address of the new trap target and then its community name. 


Network Interface Cards 


This section covers special procedures you may need to configure and 
to connect network interface cards. In this section of the chapter, we 
do not distinguish between Transport Cards and Monitor Cards 
because the same type of card often serves both purposes. 
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Configuring Network Interface Cards 


You must reconfigure a token ring network interface card if you want 
to change its data rate, for example, to switch a server's NIC froma 
4Mbps token ring to a 16Mbps token ring. Another situation where 
you must reconfigure is when you want to switch your Ethernet card 
from thick to thin Ethernet. 


16/4 Token Ring Network Interface Card 


* 


The 16/4 token ring adapter card can transmit and capture data over 
a token ring network at either of two rates: 16 Mbps or 4 Mbps. Make 
sure you have set the data rate to the appropriate speed before 
connecting a Sniffer server or SniffMaster console to a token ring 
network. Connecting a 4 Mbps Sniffer server or SniffMaster console to 
a 16 Mbps network, or vice versa, will bring down the LAN. 


The data rate switch on the adapter card must match the network data 
rate before you connect the Sniffer server or SniffMaster console. 
Sniffer servers and SniffMaster consoles usually come from the 
factory with the data rate switch set to your specification. However, 
you can use your Sniffer server or SniffMaster console on either a 4 
Mbps or 16 Mbps network by changing the data rate switch on the 
token ring adapter card to match the data rate of the network to which 
you are connecting. 


Each token ring adapter card has one switch block with twelve 
switches on its component side (Figure 3-6). The twelve switches on 
the block can easily be moved into the wrong positions. Always 
handle the card carefully and check each switch to make sure it is in 
the appropriate position. 


The switch settings shown in Figure 3-6 represent no particular 
configuration. 


Switch Block 


Figure 3-6. Switch block on the token ring card. 


The following Figure 3-7, illustrates a switch from this block set in the 
“off” position. 
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Switch 


Switch In Off 
Position 


Switch 
Representation 


Figure 3-7. Switch in the “off” position. 


Switch 12 on the switch block controls the rate at which the adapter 
will pass data to the network. You can set the adapter data rate to 
either 16 Mbps or 4 Mbps depending on the network speed. 


Below are complete instructions for configuring the card for 16 or 4 
Mbps. However, if you need further information on reconfiguring the 
card, see Local Area Network Support Program, User's Guide. 


KON To set the data rate on the token ring NIC: 
1. Power down the unit. 
2. Ifmecessary, remove the token ring card. 


3. Move switch 12 to the “off” position for 16 Mbps or to the “on” 
position for 4 Mbps. 


Note: Figure 3-7 shows the difference between the “on” and 
the “off” positions. See also the illustration of switch 12 on the 
switch block in Figure 3-8 for the correct positions for each data 
rate. 


—= Be extremely careful not to move other switches when you 
move switch 12. The defaults were set at the factory and should 
not be changed, except possibly in the case of a board-and- 
software console. 


Switch Block 


Data Rate: 
4 Mbps 


Data Rate: 
16 Mbps 


Figure 3-8. Data rate switch positions for switch 12. 


Thick or Thin Ethernet 


This section describes how to change an Ethernet card to “Thick 
Ethernet” or “Thin Ethernet.” 


Your Ethernet card has two connectors (Figure 3-12): 


* An AUI (Attachment Unit Interface) or DIX (DEC/Intel/ 
Xerox) DB-15 connector used to attach to an external 
transceiver for “Thick Ethernet.” 


* A BNC (bayonet-Neill-Concelman) connector for “Thin 
Ethernet” that uses the on-board transceiver. 


The Distributed Sniffer System utilizes two different Ethernet NICs, 
depending on the particular needs and parts of your system: 


¢ One is the InterLan NI5210. 
¢ The other is the 3Com 3C505. 


Both Ethernet cards come preset from the factory for “Thick Ethernet” 
or “Thin Ethernet,” depending upon the configuration you ordered. 


InterLan NI5210 NIC 


The transceiver select switch is located on the mounting bracket of the 
board. The switch is labeled “E” for standard Ethernet and “T” for 
Thin Ethernet (Figure 3-9). 


If your NIC was installed at the factory with the switch in the “E” 
position, the external transceiver is selected, and you can use the card 
with “Thick Ethernet.” On the other hand, if your NIC was installed 
with the switch in the “T” position, the on-board transceiver is 
selected, and you can use the card with “Thin Ethernet.” 


To reconfigure your card you must change the transceiver select 
switch from one position to the other. 


KI To reconfigure the InterLan NI5210 NIC: 


KS 
RS 


1. Power down the unit. 
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2. Locate the transceiver select switch on the mounting bracket of 
the NI5210 (Figure 3-10). The switch is labeled “E” for standard 
Ethernet and “T” for Thin Ethernet. 


3. Push the switch to the setting you want. 


4. Turn the unit on. 


Transceiver Select Switch 


Figure 3-9. Transceiver select switch for the InterLan NI5210 Ethernet NIC. 


3Com 3C505 NIC 


If your Ethernet card (3Com 3C505) was installed at the factory with 
the jumper block in the AUI position, the external transceiver is 
selected, and you can use the card with “Thick Ethernet.” If it was 
installed in the BNC position, the on-board transceiver is selected, and 
you can use it with “Thin Ethernet.” 


To change transceivers, you must change the AUI/BNC select jumper 
from one position to the other. 


+ 


To reconfigure the 3Com 3C505 NIC: 


fK 
CS 


1. Power down the unit. 

2. Remove the Ethernet card. 

3. Pull off the AUI/BNC select jumper on the Ethernet card. 

4. After you remove the jumper, look for bent or damaged pins. 
5 


Look for the “BNC” and “AUI” labels on the card. Line up the 
jumper with the pins associated with the appropriate label. 


6. Carefully press the jumper into the new position. Apply even 
pressure when you insert the jumper to avoid bending any of 
the pins. 


7. Put the Ethernet card back in the unit. 


$416 


8. Turn the unit on. 


Figure 3-10. AUI/BNC select jumper for the 3Com 3C505 NIC. 


Connecting Network Interface Cards 


This section contains illustrations of the different types of network 
connectors on servers and consoles and special instructions for 
connecting the Ethernet and WAN cards. 


Console and Server Network Connectors 


Figure 3-11 shows a 16/4 token ring card with a DB-9 female 
connector. The token ring card works with token ring media filters as 
well. 


You can order a token ring connector cable for the Sniffer server. This 
8-ft. cable has an IBM data connector for a token ring multiple access 
unit (MAU) at one end and a male DB-9 connector at the other. You 
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connect it by plugging the male DB-9 cable connector into the female 
DB-9 connector on the card. Then, plug the other end of the cable into 
an IBM MAU model 8228 or equivalent. Always use a port numbered 
1 to 8 rather than ports labeled RI or RO. 


Token-Ring 


Figure 3-11. Token ring network connector. 


Figure 3-12 shows two connectors on the 3Com 3C505 Ethernet card: 
a DB-15 connector used to attach to an external transceiver for “Thick 
Ethernet” and a BNC connector for “Thin Ethernet.” 


Figure 3-12. Two connectors on the 3Com 3C505 Ethernet NIC. 


Figure 3-13 shows the WAN NIC with its DB-25 connector. 


gy 


po 


Figure 3-13. WAN DB-25 network connector. 


Securing an Ethernet DB-15 Connector to the Unit 


An Ethernet DB-15 cable connector is commonly secured by a slide on 
the cable connector that attaches to a lockpost on the device. Personal 
computers generally come with screw posts that secure cables by 
screwing them down. If you have a cable designed for lockposts, you 
need an adapter plate (included with the unit) to secure it to the unit’s 
adapter card. 


Install the adapter plate on the end of the cable that will be secured to 
the unit’s Ethernet adapter card. The adapter plate clips onto the DB- 
15 connector. Use the screws that come with the adapter plate to 
secure it to the connector. If you don’t need the adapter plate now, set 
it aside for some future occasion, and skip the following procedure. 


4 You must use standard Ethernet transceiver cables with lockposts in 
order for the slide latch adapter to work with the InterLan NI5210 
NIC. 


LON To install the adapter plate for screw connections: 
GS perp 


1. To install the adapter plate, you'll need a small flat-bladed 
screwdriver. 


2. Slide the threaded clips onto both ends of the adapter plate (a) 
and insert the screws into the clips (b). At the top of Figure 3- 
14, you can see one of the clips positioned to slide on. At the 
opposite side, a clip is in place with the screw inserted. 
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Transceiver 


Threaded 


Clip 


Latch 
Adapter 


Locking 
Post 


<«——_— Male Connector 
End of 
Transceiver 


Locking Cable 
Post 


Figure 3-14. Adapter plate ready for attachment to a D-connector with 


lockpost. 

3. Align the slots in the adapter plate with the indents in the 
lockposts on the transceiver cable (c). 

4. Press the adapter plate until it snaps into position on the 
connector. 

5. Plug the connector with its adapter plate into the DB-15 
connector in the expansion slot. 

6. Fasten the screws to the threaded receptacles above and below 


the connector, as shown in Figure 3-15. 


3-20 


DIX 
Ethernet ® 


Figure 3-15. Connecting a cable with adapter plate to the unit’s Ethernet 
card. 


WAN Server 


The WAN card has a DB-25 female connector (Figure 3-13) and comes 
with a DB-25 cable (Figure 3-16). A V.35 interface pod and cable is 
also included. 


DB-25 Cable 


The DB-25 cable accompanying each unit has three labeled connectors 
illustrated in Figure 3-16. Using these three connectors, you can 
connect your unit between either two other computers or between a 
computer and a modem. 


y 


To connect the DB-25 cable: 


1. Attach the male-connector labeled DCE (Data 
Communications Equipment) to either a modem or another 
computer. 


KS 
5 


2. Attach the female-connector labeled DTE (Data Terminal 
Equipment) to another computer. 


3. Attach the male-connector labeled Sniffer server to the DB-25 
network connector on the Sniffer server. 
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To network 


To Sniffer Server 
Figure 3-16. DB-25 cable with three connectors for WAN units. 


V.35 Interface Pod and Cable 
One option includes a V.35 interface pod and cable that converts RS- 


232 signals into V.35 signals (Figure 3-17). 


To network 


To network 


Figure 3-17. WAN interface pod and network connector. 


= 


g To attach a server to a WAN network with the V.35 cable and 
KI 
SY interface pod: 


1. To attach the server to a V.35 connector, you must first 
dismantle the existing V.35 network connection. Breaking the 
connection leaves one free female connector and one free male 
connector. 


2. Network General supplies an interface pod with two female 
connectors on it and a V.35 cable with two male connectors. 
Plug one male end from the V.35 cable into the female 
connector from the connection you dismantled. 


3. Plug the other male connector from the V.35 cable into the V.35 
connector on the interface pod. 


4. Plug the male connector from the connection you dismantled 
into the remaining female connector on the V.35 interface pod. 


5. There is also a DB-25 connector at one end of the V.35 interface 
pod. Plug one end of the DB-25 cable into the DB-25 connection 
on the V.35 interface pod. 


6. Plug the other end into the DB-25 connector on the server. 


7. There are two female V.10/V.11 connectors on either side of the 
interface pod that you will not use. 
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CHAPTER FOUR: CONFIGURING THE SNIFFER SERVER | 


General 


Chapter 4. Configuring the Sniffer Server 


Chapter Overview 


This chapter covers the final stage of installing and configuring the 
Sniffer server. You've configured the protocol stack (if you use TCP/ 
IP) of the Sniffer server, attached it to the network, and completed 
checking its built-in diagnostics. 


There are three main sections to this chapter. The first two cover the 

procedures for completing configuration of the Sniffer server. The last 
section of the chapter shows you how to reconnect the server and to 

load the applications on the server. 


Configuring the Server 


The final configuration of servers has just a few steps: 


Establish Console-Server Communications. First, you must 
establish communications between a SniffMaster console and the 
Sniffer server. 


Use the Server Configurator Utility. Next, you use the Server 
Configurator utility to change such things as the server’s password, 
the number of consoles that can connect to the server, the server's 
display mode, and so on. 


Establishing Console-Server Communications 


Before you can use the Server Configurator utility, you must establish 
communications with the server through a SniffMaster console. The 
key step in doing this is to enter the server's transport address at the 
console. You will then put its Main Selection Menu up on the 
SniffMaster console’s display. A selection on the main Selection Menu 
lets you open the Configurator. 


To establish communications with the server through a console. 


1. On the SniffMaster console Main Menu, highlight the Manage 
names item (Figure 4-1). 
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i] 
[ Network 
1 General Display alarm log # 
Control servers 
SniffMaster Console Screen carousel 4 


Fanage nates 
"MajorDomo" Options 


Exit < 


NetBIOS 
Version 1.80 


(C)Copyright 1989-1991 
Add, modify, or remove servers from the list. 


se the arrow keys to move, or ENTER to do this function———== 


1 2Server| 6 Alarm 
Help list Log 


Figure 4-1. Manage names item on the Main Menu. 


2. Press Enter. 


Result: The Manage Names list appears (Figure 4-2). 


e 3 
NetBIOS : NGCTQ7FBE6 
RnD Closet NetBIOS : RnD CLoset 


se 1 and t and ENTER, or ESC to exit=——=—=—=—=—=—=—=—=—== 


Figure 4-2. Manage Names list. 


3. With the highlight on <New server>, press Enter. 


= 


Result: A field appears for entering a symbolic server name. 


ANAGE NAME: 


Enter a name for the new station: 


Figure 4-3. Manage Names dialog box for entering station name. 
4. Type ina symbolic name for the new Sniffer server. 


Note: The name you enter can help you identify or differentiate 
each server more readily. This symbolic name serves no other 
purpose in the operation of the Distributed Sniffer System. 


5. Press Enter. 


Result: A field appears for entering the transport address of the 
server (Figure 44 for TCP/IP and Figure 4-5 for NetBIOS). 


6. Type the address in the field provided. The format you use 
depends on the transport protocol. Are you entering a NetBIOS 
address or a TCP/IP address? 


* Ifit’sa TCP/IP address, use dotted decimal notation. You 
must use the address you entered when you configured the 
server. See Figure 4-4. 


If the TCP/IP transport address was installed at the factory, 
you can find the address on the configuration sheet 
accompanying the unit. Otherwise, get the address from 
your local network administrator. 
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|ANAGE NAME 


Enter a name for the new station: 


Enter a TCP/IP address for the new station, 
in the format n.n.n.n 


15.8..104.10 


Figure 4-4. Dialog box for entering a new TCP/IP address. 


If it’s a NetBIOS address(IIPX or NetBEUI transport 
protocol), you can use up to 16 characters. The address is 
space and case sensitive. You must use the address you 
entered when you configured the server. See Figure 4-5. 


If the address was installed at the factory, you can find the 
address on the configuration sheet accompanying the unit, 
or you can derive it from the Transport Card address. 


The default NetBIOS addresses are based on hardware 

addresses. An example would be NGCT786E82. When you 

use the Configure Server utility, you can substitute another 

address for the factory-assigned NetBIOS address to make 

it easier to remember and to eliminate entry errors: 

a. Find the board address label attached to the bottom of 
the server. 
Note: The board address has 12 hex characters, for 
example, 10005A786E82 (hex). You will use the last 6 
characters of this board address to record the NetBIOS 
address assigned at the factory. 

b. To find the NetBIOS address, replace the first 6 
characters of the board address. Do you have token ring 
or Ethernet? 


4-6 


* Token ring. If you have a token ring board, 
substitute NGCT for the first 6 characters of the 
address. Using the address above as an example, 
you would have a NetBIOS address of 
NGCT786E82. 


* Ethernet. If you have an Ethernet board, substitute 
NGCE for the first 6 characters of the address. For 
example, a board with the address, 02070108159C, 
would have the NetBIOS address, NGCE08159C. 


c. Ifyou cannot easily see the address on the label (e.g., on 
a rack with other machines or in a closet), use the extra 
label accompanying the Sniffer server. Put it where you 
will be able to see it. 


d. Write the NetBIOS address of each Sniffer server in 
your Distributed Sniffer System records. See Appendix 
C, “Configuration Record.” 


|ANAGE NAME 


Enter a name for the new station: 


clone386sx 


Enter a NetBIOS address for the new station, 
with up to 16 characters: 


NGCTO508FB 


Figure 4—5. Dialog box for entering a new NetBIOS address. 
7. Press Enter. 
8. Press the Esc key to exit to the Main Menu. 
Result: The Main Menu appears. 
9. Press F2 (Server List). See Figure 4-6. 
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SERVER STATUS, sorted by server 1.a.e=——— 14:39:27 


Server Current Monitor's Transport Messages 
name status alarm address exchanged 


clone386sx Logged on Critical clone386sx 
inan Logg Finan 
RnD Closet Logged on Minor RnD CLoset 


ise arrow keys to scroll, ESC to terminate. 
1 3 Misc D so Alarm 7 Dis-§8Server—{9Screen| 
Help control Menus log {connect screenfcarous! 


Figure 4-6. Server Status list of Sniffer servers. 


10. Use the Cursor keys to highlight the Sniffer server to which you 
want to connect. 


11. Press F7 (Connect), or press Enter. 


Result: The Password window appears (Figure 4-7). 


SERVER STATUS, sorted by server nam @=—————— eee | 4: 39 | 27: 


Server Current Monitor's Transport Messages 
name status alarm address exchanged 


clone386sx Logged on Critical NGCT/8/26D 
inan Logged o inan 
RnD Closet Logged on Minor RnD CLoset 
CONNECT INC=—===== SEES 
Connecting to "clone386sx" at NetBIOS:NGCT78726D 


Enter the password for clone386sx: 


se arrow keys to scroll, ESC to terminate. 


Figure 4—7. Field for entering the server’s password. 


i 


12. Type the default password: ngc. 
Note: the password in case sensitive. 
13. Press Enter. 


Result: If the connection is successful, the Current Status 
column of the Server Status display will read “Logged on” and 
a musical chime will audibly signal connection if you enabled 
sound. If unsuccessful, the column will read “Logged off” or 
“Lost.” 


* If successful, go on to the next section, “Using the Sniffer 
Server Configurator,” to configure the server. 


* Ifnot successful, check Appendix A, “Troubleshooting 
Guide.” 


Using the Sniffer Server Configurator 


The Server Configurator’s menu system works exactly the same way 
as the SniffMaster console menu system. For more information about 
the basic menu conventions used with the Distributed Sniffer System 
products, see the Distributed Sniffer System: Installation and Operations 
Manual. This utility gives you up to ten options, depending on the 

type of server, that are listed and described in the table in Figure 4-8. 
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Function 


Redirect LPT2 | When selected, redirects local server’s LPT2 port to the console. At the console, 
you can specify LPT1, COM1, or a file. When deselected, output goes to LPT2 port. 


Auto Start When selected, automatically starts the monitor application upon re-booting. 
(monitor only) | When this option is deselected, you must start the monitor application manually. 


Display Mode_ | Chooses video parameter for displaying the server's screen on the SniffMaster 
console. Default is color. Choose mono, color, plasma, or LCD. 


Provides a user-defined NetBIOS address that replaces the default NetBIOS 
address given at the factory. 16-character maximum. Case and space sensitive. 

Enter it in the NetBIOS address field of the console’s Manage Names dialog box. 
See the Distributed Sniffer System: Installation and Operations Manual. 


Address 
(NetBIOS only) 


Password Specifies the password to be used when connecting from a SniffMaster console. 


16-character maximum. Case and space sensitive. Default password is “ngc”. 


Consoles Sets the number of SniffMaster consoles that can simultaneously connect to this 


server. Default is one console. Choose one or two consoles. 


Keepalive Enables server messages to console indicating that the server is ready for 
connection. If the console does not receive the “keepalive” message at the 
specified interval, it knows the connection is lost. Adjust for your particular 
network. Higher “keepalive” interval recommended for slower networks. 


Default is 5. The interval can be 5 to 999 seconds. 


Timeout Sets the transport transmission timeout, the amount of time a server will wait 
before retransmitting a message. Adjust for your particular network. Higher 
timeouts recommended for slower networks. Default is 5. Enter a value between 


1 and 60 seconds. 


Sets the time period between screen updates. Lower deltas make smoother screen 
updates. Default is 0.5 seconds. Enter a value from 0.1 to 9.9 seconds. 

Saves the configuration to the server's hard disk. 

Quits the configurator and displays the Sniffer server's Main Selection Menu. 


Figure 4-8. Options available with the Server Configurator utility. 


KAN To configure the new Sniffer server: 


1. With the highlight on the connected new server in the Server 
Status list, press F8 (Server screen). 


Result: The Sniffer server’s Main Selection Menu appears. 


2. Use the Cursor keys to highlight the Configure Server item in 
the Sniffer server’s Main Selection Menu (Figure 4-9). 


si 


Server “RnD"; F11 for list, F1i2 for menus 


D 
Sniffer Server 


(C) Copyright 1998-1991, Network General Corporation 


in selection menu: 
Ethernet Monitor File Transfer Utility 
Ethernet Analyzer Configure Server 

Ethernet Analyzer xit to the Operating System 


Go to the Sniffer Server configuration menu. 


se arrow keys to select, then press Enter. 


Figure 4-9. Sniffer server Main Selection Menu. 
3. Press Enter. 


Result: The result of this action depends on which Sniffer 
application you have running on your server: 


* If you are configuring a server running just the analyzer 
application, or both the analyzer and the monitor 
applications, the Configure Analysis Server menu appears 
(Figure 4-10). 
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Server “TP Analyzer”: Fil for next, F12 for menus 


=Configure Analysis Server 


Protocol Interpreter Combinations 


Return to the Main Menu 


Run the Sniffer Analysis Server configuration utility. 


=———=—==—====\Jse arrow keys to select, then press Enter.= 


Figure 4-10. Configure Analysis Server menu. 
a. Use the Cursor keys to highlight the Server Parameters 
item. 
b. Press Enter. 


Result: The Server Configurator Main Menu appears 
(Figure 4-11). 


* If you are configuring a server running just the monitor 
application, the Server Configurator Main Menu appears 
(Figure 4-11). 
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4 Redirect LPT2 
x Auto Start 


Display Mode 

Address =<default>d 

Password = <none> @ 
NetBIOS Server Sa. =] 
Configurator Keepalive = 2 


Timeout = 5 


< 
Version 1.2 Delta = 9.5 d 
4 


(C) Copyright Save 
1998-1991 Exit ¢ 


Specify the number of consoles that may connect to this server. 


=Use the arrow keys to move, or ENTER to do this function 


Figure 4-11. Server Configurator Main Menu. 


4, 


Do you want to redirect output to printer port LPT2 to console? 
* Ifno, skip to the next step. 


* If yes, use the following procedure: 


a. Use the cursor keys to move the highlight to the menu 
item, Redirect LPT2. 


b. Press the Spacebar. 


Result: / means “selected”; x means “ deselected.” 


Do you want to start the monitor application (on any non- 
WAN server) automatically upon re-booting? 


* Ifno, skip to the next step. 


* If yes, use the following procedure: 


a. Use the cursor keys to move the highlight to the menu 
item, Auto Start. 


b. Press the Spacebar. 


Result: y means “selected”; x means “ deselected.” 


Do you want to choose a different type of display screen mode 
the server will display on the console? 


* If no, skip to the next step. 


* If yes, use the following procedure: 
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a. Use the Cursor keys to move the highlight to the menu 
item, Display Mode. 


b. Use the Cursor Right key to move to the Display Mode 
menu. 


c. Use the Cursor Up or the Cursor Down keys to 
highlight the video parameter you want: Mono, Color, 
Plasma, or LCD. 


d. Press the Spacebar to select. 


Result: The pointer moves to indicate your choice. 


7. Are you using NetBIOS/NetBEUI or NetBIOS/IPX as your 
transport protocol? 


* Ifno, skip to the next step. 


* If yes, you can specify a substitute address for the default 
NetBIOS address of the server. 


Note: Use only with locally administered NetBIOS 
addresses: 


a. Use the Cursor keys to move the highlight to the menu 
item, Address =. 


b. Press Enter. 


Result: The Specify Address window opens (Figure 4— 
12). 


c. Type in the address of the NetBIOS server. 


Server “fmSTU"; Fil for list, Fi2 for menus 


| SPECIFY SERVER ADDRESS 
Enter the Server's NetBIOS address: 


Ve Press ESC to abort: 
Timeout = 5 4 
(C) Copyright Delta = 0.5 4d 
1999-1991 


Specify a NetBIOS address for this server. 


=——se the arrow keys to move, or ENTER to do this function 


Figure 4-12. Specify Names window for a NetBIOS server. 


ine 


d. Press Enter. 


When you exit the Server Configurator and you opt to 
put the new configuration into effect, you must 
remember to record the new transport address you 
enter here. The address you enter here replaces the 
default NetBIOS address. If the address gets lost 
somehow, recovering it is not easy. Record the new 
address in your Distributed Sniffer System records. See 
Appendix C, “Configuration Record.” If the address has 
been lost, see the procedure, “To find the user-defined 
NetBIOS address and to compare it with the server 
information entered in the server database:” on page A— 
10. You must also enter this address in place of the 
Transport-level address you enter in the Manage 
names item of the SniffMaster console. See the section, 
“Managing Names” on page 4-13, for more 
information. 


8. The default password for servers is preconfigured at the 
factory. This secures the unit until you are prepared to enter 
your own password or to eliminate the password. 


The default password is: ngc. 


Do you want to change the password for connecting to the 
Sniffer server? 


* Ifno, skip to the next step. 


* If yes, use the following procedure: 


a. 


b. 


Use the cursor keys to move the highlight to the menu 
item, Password =. 


Press Enter. 


Result: The Specify Password window opens (Figure 4— 
12). 


s 
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Server “fmSTU"; Fii for list. F12 for menus 


Delta = 8.5 
(C) Copyright 
1998-1991 Save 
Specify a password for this server. 


se the arrow keys to move, or ENTER to do this function: 


Figure 4-13. Specify Password window. 
c. Use the Backspace key to delete the password in the 
field. 


Note: If you leave the field blank, the server will require 
no password when you try to connect to it. 


d. Type in the password that must be entered when 
someone wants to connect to this Sniffer server from a 
SniffMaster console. 


Note: Passwords are case-sensitive. Be sure to 
remember this when connecting to a server. 


e. Press Enter. 


9. Do you want to change the number of possible console 
connections to the Sniffer server? 


* Ifno, skip to the next step. 


* If yes, use the following procedure: 


a. Use the cursor keys to move the highlight to the menu 
item, Consoles =. 


b. Press Enter. 


Result: The Specify Console Connections window 
opens (Figure 4-14). 

c. Enter the number of console connections you want to 
permit. 


d. Press Enter. 


me 


Server “RnD": Fil for list, F12 for menus 


x Auto Start 
| SPECIFY CONSOLE CONNECTION 


Enter a maximum of 1 or 2 connections: 


Ve Press ESC to abort 


(C) Copyright Save 4 
1999-1991 Exit 4 


Specify the number of consoles that may connect to this server. 


=Use the arrow keys to move, or ENTER to do this function 


Figure 4-14. Window for specifying the number of SniffMaster consoles 
that can connect to this Sniffer server. 


10. Do you want to change the interval between “keepalive” 
messages? 


* Ifno, skip to the next step. 


* If yes, use the following procedure: 


a. Use the Cursor keys to move the highlight to the menu 
item, Keepalive. 


b. Press Enter. 


Result: The Specify Keepalives window opens (Figure 
4-15). 


c. Type a value from 5 to 999 to indicate the number of 
seconds between “keepalive” messages. 


Note: When you enable “keepalive” messages, the 
server will tell the console at the interval you specify 
that it is ready for connection. If the console does not 
receive a message within the interval, it will assume 
that the server is inaccessible. The setting you will use 
depends on your particular network. Use higher values 
for slower networks. 


d. Press Enter. 


iG 


Distributed Sniffer System: Server Installation Manual 


NU ret 
x Auto Start 
SPECIFY KEEPALIY 


Enter the number of seconds between keepalive packets. 
Nel) Valid entries range from 5 to 999 seconds: 
Ve 


(C) Copyright 
1998-1991 


Specify the number of seconds between keepalive packets. 


se the arrow keys to move, or ENTER to do this function: 


Figure 4-15. Window for specifying the interval between “keepalive” 
messages from the server. 


11. Do you want to change the length of the transport transmission 
timeout? 


* Ifno, skip to the next step. 


* If yes, use the following procedure: 


a. Use the Cursor keys to move the highlight to the menu 
item, Timeout. 


b. Press Enter. 
Result: The Specify Transport Timeout window opens 
(Figure 4-15). 

c. Type a value between 1 to 60 to indicate the number of 
seconds until a transport transmission timeout. 


Note: The timeout parameter specifies how long the 
server will wait to receive a reply from a console before 
retransmitting a message. The setting you use will 
depend on the circumstances of your network. Use a 
higher timeout for slower networks. 


d. Press Enter. 


NU: ret 
Display mode 
PECIFY TRANSPORT TIMEOUT 


Enter a timeout between 1 and 68 seconds: [jj 
The default transport timeout is 5 seconds. 


(C) Copyright 
1999-1994 


Specify the transport transmission timeout. 


e the arrow keys to move, or ENTER to do this function 


Figure 4-16. Window for specifying the transport timeout. 
12. Do you want to change the time period between screen 
updates? 
* Ifno, skip to the next step. 


* If yes, use the following procedure: 


a. Use the Cursor keys to move the highlight to the menu 
item, Delta. 


b. Press Enter. 


Result: The Specify Screen Update Period window 
opens (Figure 4-15). 

c. Type atime period between 0.1 and 9.9 to indicate the 
number of seconds between screen updates. 


Note: The delta parameter specifies how much time will 
elapse between screen updates from the server to a 
console. A small delta will send more screens and use 
up more bandwidth. A large delta will preserve 
bandwidth but result in a jerkier display on the console. 


d. Press Enter. 
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NU = 
Display mode 


Address =<default>¢ 
PECIFY SCREEN UPDATE PERO 
Enter a time period of 8.1 to 9.9 seconds: 


The default period between updates is 8.5 seconds. 


Ve 


(C) Copyright 
1998-1991 


Specify the time period between screen updates. 


=Use the arrow keys to move, or ENTER to do this function==== 


Figure 4-17. Window for specifying the screen update period. 


13. Do you want to save the configuration? 
* Ifno, skip to the next step. 


Note: If you don’t save changes to the configuration, you 
will get a warning when you exit the Server Configurator 
utility asking if you want to discard any changes. Ignore the 
warning when you see it. 

* If yes, use the following procedure: 


a. Use the Cursor keys to move the highlight to the menu 
item, Save. 


b. Press Enter. 
Note: A new configuration is saved to special files but 
takes effect on a server only after you reboot. 


14. If you saved the new configuration, do you want it to take 
effect immediately? 
* Ifno, use the following procedure: 


a. Use the Cursor keys to highlight Exit on the Main 
Menu. 


b. Press Enter. 


Result: A warning appears asking if you want to reboot 
the server with the new configuration. Ignore the 
warning. 


c. Press the Escape key. 


0 


Result: The Main Selection Menu of the server appears. 
If you saved the changes to the configuration, the new 
configuration is stored in special files until you reboot. 


* If yes, use the following procedure: 


a. Use the Cursor keys to highlight Exit on the Main 
Menu. 


b. Press Enter. 


Result: A warning appears asking if you want to reboot 
the server with the new configuration. You must reboot 
for the new configuration to take effect. 


c. Press the Enter key. 


Result: The server reboots, and the connection is lost. If 
you want to reconnect, you must go back to the Server 
Status display of the console. See the next section, 
“Reconnecting to a SniffMaster Console,” for 
instructions. After reconnecting with the server, the 
new configuration will be in effect. 


Reconnecting to a SniffMaster Console 


After completing the configuration and installation procedures 
described above, you are ready to use the new Sniffer server. This 
section shows you how to reconnect to the server from a SniffMaster 
console and how to load the monitoring or analysis application. There 
is also a procedure for running the monitoring application in the 
background. After you reach this point, please refer to the appropriate 
manual in the Distributed Sniffer System library for further details on 
operating the system: 


SniffMaster console Distributed Sniffer System: Installation 
and Operations Manual 


Sniffer analysis server Distributed Sniffer System: Analyzer 
Operations Manual 


Sniffer monitoring server Distributed Sniffer System: Ethernet 
Monitor Operations Manual 
Distributed Sniffer System: Token Ring 
Monitor Operations Manual 


KON To reconnect the server to a console: 


1. With the Server Status display (Figure 46) of the SniffMaster 
console showing, use the Cursor Up or Cursor Down key to 
move the highlight to the Sniffer server to which you want to 
connect. 


Oo 
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2. Press F7 (Connect) or, alternatively, Enter. When you 
configured the server, did you eliminate the password, retain 
the default password, or add a new password? 


* If you did not configure the server with a password, the 
indication in the Current Status column of the Server Status 
display changes to “Logged on” and if you haven't disabled 
the sounds options, you will also hear a musical chime: 


a. Press F8 (Server screen) or, alternatively, Enter. 
Result: The server’s Main Selection Menu appears 
(Figure 4-9). 

b. Go to the next step. 

* If you are connecting to a server, and if that server is 


configured with a (default or new) password, the field for 
entering the password appears (Figure 4-7). 


a. Type the password. 
b. Press Enter. 


Result: The message in the Current Status column of the 
display changes to indicate whether the Sniffer server is 
“Logged on.” If you haven't disabled the sounds 
options, you will also hear a musical chime. 


Note: When you enter an invalid password, a window 
pops up telling you that. 


c. Press F8 (Server screen) or, alternatively, Enter. 


Result: The server’s Main Selection Menu appears 
(Figure 4-9). 
d. Go to the next step. 


* Note: If no contact is made with the server—i.e. the 
indication in the Current Status column reads “Logging 
on” then reverts to “Logged off” or the indication reads 
“Lost”—check Appendix A, “Troubleshooting Guide.” 


3. Use the Cursor key to highlight the server application you 
want to load at the server. Do you want an analysis application 
or a monitor application? 


* If you choose an analysis application: 
a. Press Enter. 


Result: The application is loaded, and the analyzer 
server initialization screen appears (Figure 4-18). 


re 


Server “TP Analyzer”; F11 for list, F12 for menus 


tn 
The Sniffer Network Analyzer 
for Token-Ring 


Version 3.95 


Network General Corporation 
(C) Copyright 1986-1991 
4 Press any key > 


Serial number: 152162 
Network address: SOGGA6000000 
Licensed to: Network General 


Figure 4-18. Analysis server initialization screen. 
b. Press any key when prompted. 


Result: The analysis server Main Menu appears (Figure 
4-19). 


Server “TP Analyzer”; Fil for list, F12 for menus 


=Horet 
Frame size 


General Traffic Generator # Show Kbyte counts 
Capture filters Show NW usage 
Trigger 
Token-Ring Sniffer Capture Linear bar scale 
Network Analyzer Display Log bar scale 
Files 
Version 3.95 Options per a counts 


Network So frame counts 


Exit Pair counts 
Skylines 


(C) Copyright 
1986 - 1991 


ore! 
Begin data collection from the network. 


=Use the arrow keys to move, or ENTER to do this function 


Figure 4-19. Analysis server Main Menu. 


Note: You are now ready to start using the analysis 
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server to observe the network segment, ring, or link to 
which its monitor card is attached. For more 
information on operating the analysis server, see the 
Distributed Sniffer System: Analyzer Operations Manual. 


* If you choose a monitor application: 
a. Press Enter. 


Result: The application is loaded, and the monitor 
server initialization screen appears. 


b. Press any key when prompted. 


Result: The monitor server Main Menu appears. 


Note: You are now ready to start using the monitor 
server to observe the network segment or ring to which 
its monitor card is attached. For more information on 
operating the monitor server, see the Distributed Sniffer 
System: Token Ring Monitor Operations Manual or the 
Distributed Sniffer System: Ethernet Monitor Operations 
Manual. 


Note: Monitor applications are loaded in two parts. One 
part runs in background—e.g., collecting statistics— 
and lets you use the server for other purposes. The other 
part is a user interface. Once you've loaded the 
background processes, you do not have to reload them 
and can invoke the user interface whenever you want to 
access the background processes. 


However, you cannot run an analyzer application at the 
same time that you are running a monitor in 
background. You will be prompted to shut the 
background processes down when you try to start the 
analyzer application. 


4 Another caveat is that, while statistics are still being 
collected, alarms are not sent to consoles when a 
monitor is running in background. 


See the procedure below for further instructions. 


KO To use the monitor application in the background: 


1. Use the Cursor keys to highlight the monitor application in the 
server's Main Selection Menu (Figure 4-19). 


2. Press Enter. 
Result: The monitor server's initialization screen appears. 
3. Press any key when prompted. 


Result: The monitor server's Main Menu appears. 


nee 


4. Use the Cursor to highlight Exit on the Main Menu. 
5. Press Enter. 


Result: The user interface part of the monitor application is 
unloaded, the background processes part is still running, and 
the server’s Main Selection Menu appears again. At this point 
you have several options: 


* You can exit to DOS and perform other tasks on the server: 


a. Use the Cursor keys to highlight Exit to the Operating 
System on the Main Selection Menu. Alternatively, 
press the Esc key. 


b. Press Enter. 
Result: The DOS prompt appears. 


Note: To redisplay the server’s Main Selection Menu, 
type MENU at the DOS prompt, and press Enter. 


* You can reinvoke the user interface to access the 
background processes: 


a. Use the Cursor keys to highlight the monitor 
application on the Main Selection Menu. 


b. Press Enter. 


Result: The Monitor Services Menu appears (Figure 4— 
20). 


Server “BIZ-ONE Server”: Fil for list, Fi2 for menus 


‘Monitor Services Menau=———————= 


Run the User Interface 
utdown the Background Processes 


Return to the Main Menu 


Invoke the Monitor Services user interface. 


=Jse arrow keys to select, then press Enter .= 


Figure 4-20. Monitor Services Menu. 
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c. Use the Cursor keys to highlight Run the User 
Interface. 


d. Press Enter. 
Result: The monitor server’s Main Menu appears. 
* You can shut down the background processes: 


a. Use the Cursor keys to highlight the monitor 
application on the Main Selection Menu. 


b. Press Enter. 


Result: The Monitor Services Menu appears (Figure 4— 
20). 


c. Use the Cursor keys to highlight Shutdown the 
Background Processes. 


d. Press Enter. 


Result: You are prompted as to whether or not you want 
to shut down the monitor. 


“oy 


e. Press “y” for “yes,” and then press Enter. 
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Appendix A. Troubleshooting Guide 


This appendix lists some common problems you may have with the 
Sniffer server and some possible remedies. Hopefully, they will save 
you some time, some worry, or the need to call for help. 


When you suspect a problem with the Sniffer server, please look 
through this guide before contacting NGC. Many times correcting a 
simple oversight can save you (and us) lots of time. 


But if our suggestions in this chapter do not solve your problem, 
please call. Support hours are 6 am to 6 pm Pacific time, weekdays. 


Before you call, be prepared to make the following information 
immediately available when the technical support person comes on 
the line: 


Distributed Sniffer System Group 
Number: 


Phone for Network General’s (800) 395-3151 
Technical Support Department: 
FAX: (415) 321-0855 


Locate the Distributed Sniffer System Group Number for the 
server for which you want support. Every piece of Distributed 
Sniffer System equipment has a Group Number. You will find 
the Group Number on a label on the bottom of each unit. 
Record it in the box below. 


Locate the server serial numbers. You will find the numbers on 
a label on the bottom of each unit. 


Fill out a configuration record for the server and have it 
available. 


Draw an accurate, up-to-date map of your network that 
includes LANs as well as interconnecting devices. 


Record any error messages exactly, word for word. 


Provide an accurate description of all symptoms of any 
problem and, if possible, a description of how to replicate the 
problem. 


Provide information and analysis from a trace file, if 
appropriate. If you suspect that the problem is isolated to just a 
server or to the communications between a server and a 
console, you can set a filter on a portable Sniffer analyzer to get 
a trace that may help. 
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Some General Troubleshooting Tips 


There are a few general approaches to troubleshooting and common 
problems you should be aware of as well as simple things you might 
try for a variety of situations. This section describes some of these. 


Problem isolation. Because of the systemic nature of the Distributed 
Sniffer System, you must try to isolate problems before you can deal 
effectively with them. Sometimes a problem will be just with a Sniffer 
server. Other times, a LAN problem that a server is observing is the 
cause. An interconnecting device can also be a source of problems as 
can the SniffMaster console itself. 


Removing the null modem cable. One problem that seems to come 
up frequently occurs after the server TCP/IP configuration 
procedure. A null modem cable is sometimes used as part of the 
procedure. Users sometimes disconnect the null modem cable from 
the console but fail to disconnect the other end from the server. When 
they start to use the server, it does not behave properly. The reason 
why is that the null modem cable acts like an antenna and picks up 
signals that interfere with the operation of the server. Make sure the 
null modem cable is completely detached from both the console and 
the server. 


Rebooting. Sometimes a console will fail to connect to a server or will 
lose a connection, even though it always seemed to work before. In the 
sections below, you will find more complex versions of this problem, 
but there is one solution you should try first. Simply power off the 
console and power it back on. If that doesn’t work, try the same thing 
on the server. One way to reboot a server is from the Miscellaneous 
Controls menu. 


Reinstalling and reconfiguring. Sometimes a crucial step in the 
installation and configuration procedure was inadvertently left out 
and troubleshooting to find that step is like trying to find the 
proverbial needle in a haystack. In this case, the most systematic 
procedure is simply to follow the installation and configuration steps 
from beginning to end to find what was missed. 


Recording changes to the Sniffer server and the network. Many 
times keeping a detailed and accurate history of changes to your 
network and your Sniffer servers will provide the most important 
clues for isolating the problem. Among the kinds of changes to pay 
close attention to are: 


* Card configurations 

* Software configurations 
* NetBIOS addresses 

* Subnet masks 


* Default gateway addresses 
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* Reconfigured routers 
* Altered bridges 
* New router, bridge, or repeater 


* New terminate-and-stay-resident (TSR) programs installed 
that may interfere with the communications software 


* Inadvertent changes to CONFIG.SYS and AUTOEXEC.BAT on 
consoles and servers 


Using a portable Sniffer analyzer. A portable Sniffer analyzer is 
invaluable as a general troubleshooting tool for your Distributed 
Sniffer System. Below we describe various specific ways that you can 
use it. It allows you to capture trace files with filters set to capture 
packets from a console, from a server, or between a console and a 
server. If you are unable to understand your problem, or to come up 
witha solution by analyzing the trace file, you can then send the traces 
to NGC Technical Support for analysis. 


Problems on Sniffer Servers 


Checking Hardware 


Sniffer servers come with built-in diagnostics. By using them 
routinely, you can run some quick hardware and software checks. 


The sequence of four diagnostic signals following POST (Power-On- 
Self-Test) tell you how much of CONFIG.SYS and AUTOEXEC.BAT 
the server has executed. If you do not hear one or more of these 
signals, you know approximately where the problem occurs by which 
of the signals you hear and do not hear. 


This section gives you two procedures for checking hardware. One 
helps make sure that a server is getting power. The second procedure 
utilizes POST, a built-in diagnostic, that checks the motherboard, 
memory, disk drives, and serial ports. A server successfully passes by 
emitting the first of a sequence of five audible diagnostic signals built 
into all Sniffer servers. The other four diagnostic signals are used for 
checking software (see “Checking Software” on page A-7). 


To check to see if a server is getting power: 


1. Power the server on using the orange power switch in the front 
of the unit. 


2. Look for the green power light in the front of the unit to 
illuminate. 
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* Ifthe light comes on, then you know the server is getting 
power. 


* Ifthe green light fails to come on, you have a power 
problem. 
a. Check to make sure the power cord is properly 
attached. 
Note: If the power cord is fine, then additional testing of 
the power supply is necessary. Try plugging something 
else into the outlet to see if it works. 


KON To check to see if the server passes the POST (Power-On-Self-Test) 
Sy for hardware components: 


1. Power on the server using the orange power switch in the front 
of the unit. 


2. Listen for a distinct “beep.” POST can take over a minute. 
+ If you hear the beep, the server passed POST. 


* If you didn’t hear the beep, the server did not pass the test. 
Additional testing on the hardware is necessary. 


Note: POST checks the motherboard, memory, disk drives, 
and COM port. 


a. Check the hard disk input/output by rebooting and 
seeing if the fixed disk lamp on the front of the unit 
flickers. If it does, the hard disk and its controller are 
probably not the problem. 


b. Check the keyboard terminator. It should be snug and 
fit properly. You could also take it off and make sure it 
was not damaged in shipping. It can appear to be ok 
from the outside. 


c. Check to make sure that the SIMM (Single In-line 
Memory Module) chips are properly seated. They are 
located on the motherboard just below the NICs 
(Transport Card and the Monitor Card). They should be 
sticking straight up from the motherboard at 90° angle. 
There are four in an analysis server; a monitor server 
has none. Wiggle each one. Push straight down. Make 
sure you have four of these. 


d. Check to make certain that both NICs are properly 
seated and parallel to the bus board. 


e. Check that none of the NIC chips (ASICS) have come 
loose. 
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Checking Software 


Following the hardware check utilizing POST, there are four more 
diagnostic signals in the sequence emitted following booting of a 
Sniffer server. These signals tell you how much of CONFIG.SYS and 
AUTOEXEC.BAT the server has executed. If you do not hear one or 
more of these signals, you know approximately where the problem 
occurs by which of the signals you hear and do not hear. 


If a server has worked fine for a while and then no longer works as 
before, a real possibility is that someone has changed the 
CONFIG.SYS and/or AUTOEXEC.BAT files. 


NGC recommends against altering these files in any way. If they have 
been changed and the server no longer works properly, you may need 
to reinstall copies of the originals. Hopefully, you made backup 
copies of these when you first installed your system (see “Protecting 
Your Server” on page 2-8). 


S 


To check that the server’s CONFIG.SYS and AUTOEXEC.BAT files 
execute properly: 


O 


AK 
CS 


1. Reboot the server. 
2. Make certain that the server passes POST. 


3. Listen for the sequence of four more diagnostic signals that 
indicate the stages of execution of CONFIG.SYS and 
AUTOEXEC.BAT: 


Checkpoint1 One tone indicating that the operating system 
environment has been set. 


Note: Checkpoint 1 may be especially important if you are 
configuring TCP/IP ona server and have attached a 
terminal, or a PC running terminal emulation software, 
with a null modem cable. Checkpoint 1 tells you that 
IOFORK.SYS, a TSR utility, has been installed. This TSR 
sets up the COMI serial port so the server can accept 
keyboard input and can send out diagnostic messages to a 
terminal or PC screen. 


Checkpoint 2 Two tones indicating that memory has been 
initialized. 

Note: Failure to pass Checkpoint 2 may indicate that the 
SIMM chips are improperly seated. They are located on the 
motherboard just below the NICs the Transport Card and 
the Monitor Card). They should be sticking straight up 
from the motherboard at 90° angle. There are four in an 
analysis server; a monitor server has none. Wiggle each 
one. Push straight down. Make sure you have four of these. 
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Checkpoint 3. Three tones indicating that the communications 
software has been installed. 


Note: TCP/IP requires nothing to be attached to the server 
to initialize its Transport Card. Two transport protocol 
drivers—NetBEUI for token ring and IPX for both token 
ring or Ethernet—will hang if the Transport Card is not 
connected to something (either to a network or toa 
loopback hood): 


* Ifyou have NetBEUL, just attach a token ring cable to the 
server's 9-pin connector. The cable is self-shorting so it 
acts like a loopback hood. 


* If you have IPX for “thin” Ethernet, use a BNC-T 
connector with a 50 ohm terminator on each side of the 
“T” as a loopback hood. 


* If you have IPX for “thick” Ethernet, attach the AUI 
cable into a transceiver and then terminate the 
transceiver with a loopback hood. 


* If you have IPX for token ring, just attach a token ring 
cable to the server’s 9-pin connector. The cable is self- 
shorting so it acts like a loopback hood. 


Musical Chime Indicating that the server is ready. 


Note: It is possible for a server to emit the Musical Chime 
and still not run properly. You may not notice anything 
until you try to connect to the server with a console. If you 
used a null modem cable to configure TCP/IP on a server, 
make sure the null modem cable is no longer attached. If it 
is left attached, it acts like an antenna and picks up signals 
that may disrupt the server. 


Console-Server Connection Problems 


There are numerous problems that may occur with console-server 
connections. In this section, we describe several possible reasons why 
consoles do not connect with servers. Some of these apply to the 
situation where you try to connect for the first time. Others apply to 
situations where a connection that worked before stops working. 
Some of these problems depend on which transport protocol you use. 


Server Address Problems 


One reason you may not make a connection is that there is an incorrect 
NetBIOS or TCP/IP address. In this section, we describe several ways 
in which the wrong address may have been used. 


NetBIOS Address Incorrectly Derived 


The NetBIOS address is preconfigured at the factory. You must derive 
it from the board address of the Transport Card. To do this, you will 
need to check the board address on the label underneath the server, 
use it derive the NetBIOS address, and then check that against the 
NetBIOS address as recorded in the console’s server database. 


Se 
O 


ON To compare the NetBIOS address of a server against the NetBIOS 


ay address recorded on a console’s server database: 


dy 


Find the board address label attached to the bottom of the 
server. 


Note: The board address has 12 hex characters, for example, 
10005A786E82 (hex). You will use the last 6 characters of this 
board address to derive the NetBIOS address assigned at the 
factory. 


To derive the NetBIOS address, delete the first 6 characters of 
the board address: 


* Token ring. If you have a token ring board, substitute 
NGCT for the first 6 characters of the address. Using the 
address above as an example, you would have a NetBIOS 
address of NGCT786E82. 


* Ethernet. If you have an Ethernet board, substitute NGCE 
for the first 6 characters of the address. For example, a 
board with the address, 02070108159C, would have the 
NetBIOS address, NGCE08159C. 


On the console’s Main Menu, use the cursor keys to highlight 
the Manage names item. 


Press the Enter key. 


Compare the NetBIOS address recorded there with the address 
you derived from the server’s board address. They should be 
the same. 


Confusing Default NetBIOS Address, User-Defined NetBIOS Address, and 


Symbolic Name 


Another potential problem is confusion among three types of 
reference to a server: 


Default NetBIOS address preconfigured for each server at the 
factory. You derive the NetBIOS address from the Transport 
Card address during the installation procedure. This address is 
entered into a console’s server database through the NetBIOS 
address field of the Manage Names dialog box. The address 
will appear in the Transport Address column of the Server 
Status display. 


oe 
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* User-defined NetBIOS address defined by the user in the Server 
Configurator. This address serves exactly the same function as 
the default NetBIOS address and supersedes the NetBIOS 
address preconfigured for the server at the factory. You would 
choose to use a user-defined NetBIOS address if you wanted to 
make a server more readily identifiable, e.g., to distinguish 
among groups of servers or specialized functions of particular 
segments or rings. This address is entered into a console’s 
server database through the NetBIOS address field of the 
Manage Names dialog box. The user-defined NetBIOS address 
will appear in the Transport Address column of the Server 
Status display. 


* Symbolic name defined by the user in the console’s server 
database through the name field of the Manage Names dialog 
box. This name serves no purpose other than to make a server 
more identifiable. It will appear in the Server Name column of 
the Server Status display. 


Changing the NetBIOS address and failing to enter it properly on the 
console’s server database can create a very big problem. For example, 
someone may define a new NetBIOS address on a server from one 
console and not inform users at another console. Or, someone defines 
a new NetBIOS address but enters it in the name field, instead of the 
address field, of the Manage Names dialog box. 


If you override the default NetBIOS address by creating a user- 
defined NetBIOS address, you must enter the user-defined address in 
the NetBIOS address field of the Manage Names dialog box. If you 
don’t, the console won’t be able to find the server. 


If you have reason to think that this may be the problem, you need to 
find out what the current user-defined NetBIOS address (if one was 
created) is on the server and to compare it to the information for that 
server in the console’s server database. Since the console cannot find 
the server, you need to use a separate utility to extract the information 
from the server. 


To find the user-defined NetBIOS address and to compare it with the 
server information entered in the server database: 


1. Use the server’s Transport Card address and the NetBIOS 
Adapter Status Utility to retrieve server information. 


Note: For instructions on the use of this tool, see “NetBIOS 
Adapter Status Utility” on page B-7. This utility retrieves 
information, including the user-defined address if one was 
created to override the default address, from any NetBIOS 
station on the network. 


Find the NetBIOS Name Table in the retrieved information. If 
there is a new user-defined NetBIOS address, it will appear in 
that table. 


Go to the Server Status display on the console. 


Compare the user-defined address you found by using the 
NetBIOS Adapter Status Utility with the Transport Address for 
that server. Both should be the same. 


If the two addresses are not the same, enter the address 
retrieved with the utility into the server’s database using the 
Manage Names display. 


Inaccurate IP Address, Subnet Mask, and Default Gateway Information 


>. 


oy 


An obvious source of problems for those who use TCP/IP as their 
transport protocol is inaccurate IP address, subnet mask, and default 
gateway settings. To eliminate any problems caused by such errors, 
you need to compare the current settings on the server to which you 
cannot connect with the information in the console’s server database. 


To check the current settings for the server, console, and gateways: 


1. 
2. 


Power off the server. 


Since you cannot connect with the server, you'll need to attach 
an external device to it. See “To attach a PC or terminal to a 
Sniffer server:” on page 3-6. 


Make certain the Transport and the Monitor Cards are 
connected. 


Enter terminal emulation mode with the external device. See 
“To enter terminal emulation mode using a SniffMaster 
console:” on page 3-7. 


Power on the server. 


Result: The sequence of server diagnostic tones and messages 
will sound and appear. Then the Sniffer server IP Initialization 
Program menu appears. 


When you see the Sniffer server IP Initialization Program 
menu, press any key immediately to pause. 


Check the current settings for the server. You will see them in 
the column on the right-hand side of the screen (see Figure 3— 
2): 


IP address Check the address entered against the actual 


address assigned to this server. Also compare 
this with the address entered for this server in the 
console’s database. 
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Subnet mask Make certain this was entered correctly. You 
enter the subnet mask in terms of the number of 
subnet bits. Typically, this would be a number 
between 8 and 24. 8 creates a subnet mask of 
255.0.0.0. 24 creates a subnet mask of 
255.255.255.0. 


Default gateway | Compare this with the actual address for the 
default gateway. 


8. Make certain the server’s Transport Card is connected to the 
network. 


9. Reboot the console. 


Result: The SniffMaster console IP Initialization Program menu 
appears. 


10. When yousee the SniffMaster console IP Initialization Program 
menu, press any key immediately to pause. 


11. Check the current settings for the console. You will see them in 
the column on the right-hand side of the screen (see Figure 3- 


2): 
IP address Check the address entered against the actual 
address assigned to this console. 
Subnet mask Make certain this was entered correctly. You 


enter the subnet mask in terms of the number of 
subnet bits. Typically, this would be a number 
between 8 and 24. 8 creates a subnet mask of 
255.0.0.0. 24 creates a subnet mask of 
255.255.255.0. 


Default gateway | Compare this with the actual address for the 
default gateway. 


Too Many Consoles Trying to Connect to the Same Server 


Servers can be configured to connect to up to two consoles. If a server 
is configured to one console, then all others trying to connect will be 
rejected. The same is true for a server configured to two console 
connections. 


Sometimes you may lose a connection to a server and, before you can 
reestablish the connection, another console may have connected 
already, and the server reaches the maximum for which it was 
configured. 


Another situation is where someone may have changed a server's 

configuration without properly notifying personnel working at other 
consoles. It is possible that where a server was originally configured 
to accept up to two consoles, it was reconfigured to accept only one. 


When you try to connect, you can no longer do so because of the 
change in the server. 


The clues that indicate that this is the case vary, depending upon the 
transport protocol you use: 


* Ifyou have TCP/IP, you will see the message, “Server 
connection rejected,” when a server has its maximum number 
of connections. The message tells you that the server is alive 
and well but that it cannot accommodate any more consoles. 


* If you have NetBIOS, you will see a message with the name of 
the server already connected when the server is configured for 
one console connection. When configured for two console 
connections, the server will tell you only that the connection 
attempt failed. 


What you'll need to do is to first check to see how many console 
connections for which the server is configured. Then you'll need to 
check that against how many consoles can potentially connect to that 
server. 


To compare a server’s console connection configuration with the 
number of consoles that could potentially connect to that server: 
1. Find a console with an established a connection to the server. 


2. Ifan application is running on the server, go to the Main Menu, 
and use the Cursor keys to highlight the Exit item. 


3. Press the Enter key. 


Result: The Main Selection Menu appears. 


Note: If you are running the monitor application, the monitor 
may still be running in background. If that is the case, you will 
need to shut it down: 


a. Highlight the monitor application item in the Main 
Selection Menu. 


b. Press the Enter key. 


Result: The Monitor Services Menu appears. 


c. Highlight the Shutdown the Background Processes item. 
d. Press the Enter key. 


Result: You will be prompted to confirm shutting down 
background processes and then returned to the Main 
Selection Menu. 


4. Inthe Main Selection Menu, highlight the Configure Server 
item. 


A3 


Distributed Sniffer System: Server Installation Manual 


5. Press the Enter key. 


Result: If you have an analysis application on the server, the 
Configure Analysis Server menu appears. 


a. With the highlight on Server Parameters, press Enter. 


Result: The Server Configurator Main Menu appears. 


6. Check the Consoles= item in the Main Menu of the Server 
Configurator. The server could be configured for either one or 
two consoles. 


7. Check the server databases of each console that could 
potentially connect to the server: 


a. Go to the console’s Main Menu. 

b. Use the Cursor keys to highlight the Manage names item. 
c. Press the Enter key. 

d. Check to see if the server’s address is listed. 

e. Repeat these steps for each of the other consoles. 


8. Compare the number of consoles with the server's address in 
their server database with the number of console connections 
for which the server is configured. 


Note: If the number of consoles that can potentially connect to 
a given server exceeds the number of console connections for 
which it is configured, then you run the risk of console 
rejection. You will need either to change the configuration on 
the server or find some way to manage the connection of 
consoles to servers. 


Problems With Interconnection Devices 


It’s important to know the interconnection devices—e.g., a bridge or 
a router—between a console and a server. These can be turned off, or 
they can be configured to filter certain types of packets. In this case, 
you may want to put a portable Sniffer analyzer on either side of the 
interconnection device to see if server packets or console packets are 
getting through. For example, consoles and servers in the TCP/IP 
environment require ARP (Address Recognition Protocol) requests 
and replies in order to establish a connection. If the interconnection 
device is set to filter on ARP packets, a connection will never be 
established. 


Duplicate IP Addresses 


If you get the message, “Transfer connection rejected,” it could 
indicate duplicate IP addresses. Use the following procedure: 


Aid 


g To check for duplicate IP addresses: 
D p 
KO 


y 1. Power off the console. 


Result: This will clear the ARP cache. If it was cached in 
memory, it will not do another ARP. 


2. Set upa portable Sniffer analyzer to capture frames sent out of 
the console’s transport card and packets received by the card. 


Power the console back on. 
Go to the Server Status window of the console. 


Try to connect to any server in the list. 


OF Oe 


Look for any ARP request from the console on the Sniffer 
analyzer. 


7. When you see the ARP Request, look for the IP address of the 
server you are trying to connect to. Make sure it matches the 
address which you are trying to get. 


8. On the portable Sniffer analyzer, look for the ARP Reply. 


Result: If you get an ARP Reply from any device other than the 
server to which the original ARP Request was intended, then 
you have a duplicate IP address. 
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APPENDIX B: TROUBLESHOOTING AND FINE TUNING UTILITIES 6B 


Network 
General 


Appendix B. Troubleshooting and Fine 
Tuning Tools and Utilities 


This appendix explains several tools and utilities for troubleshooting 
and fine tuning your Distributed Sniffer System. There are four of 
these covered: 


* Two additional commands on the IP Initialization Program 
Menu 


* PING utility 
* NetBIOS Adapter Status utility 
¢ JIOFORK.SYS device driver. 


Expanded TCP/IP Initialization Program Menu 


“Configuring TCP/IP” on page 3-6 explains how to use the 
Initialization Program to configure TCP/IP on both servers and 
consoles. Two additional commands let you set additional 
configuration options for the TCP/IP stack. Both are on a special 
“hidden” version of the program’s menu. The two commands are 
summarized in Figure B-1. 


connections Sets the number of connections to the unit. For a 
server, the range is 1 to 2 console connections. For a 
console, the range is 1 to 32 server connections. 


window Sets the size of the TCP window. Select a multiplier 
from 1 to 8. The multiplicand is the “maximum 


segment size.” 


Figure B-1. Expanded Initialization Program Menu options. 


4 When using the connections command with a console to connect 
servers, remember that 30 connections is an upper limit tested by 
NGC on some network configurations. Optimal performance of the 
Distributed Sniffer System will be less on other network 
configurations. 


—- You will use the window command when adjusting the stack for a 
“slow” versus a “fast” network. Use higher multipliers for slower 
networks to insure that all data is received. A large multiplier sets a 
large buffer for the TCP window mechanism, and that, in turn, uses 
up valuable memory. Therefore, if your network is fast enough to 
handle the data, decrease the size of the window. 
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The TCP window mechanism is a flow control tool. It works with the 
acknowledge mechanism to update senders and receivers as data is 
transmitted and received. A receiver periodically empties its buffer, 
acknowledges received data, and tells the sender its current window 
size, i.e., the size of the buffer it has available for additional data. The 
sender then subtracts the amount of data already sent from that 
window size and uses the difference to determine how much more 
data it can send. 


y 


To open the expanded IP Initialization Program Menu: 


O 


lA 
CS 


1. Exit to the DOS command line. Are you opening the IP 
Initialization Program on the console or a server? 
* Ifyou are using the console. 
a. Use the Cursor keys to highlight Exit in the Main Menu. 
b. Press Enter. 


Result: The DOS command line appears. 


* Ifyou are viewing a monitor or analyzer application on the 
console display: 


a. Use the Cursor keys to highlight Exit in the Main Menu. 
b. Press Enter. 
Result: The Main Selection Menu appears. 


c. Use the Cursor key to highlight Exit to the Operating 
System or, alternatively, Escape. 


d. Press Enter. 


Result: The DOS command line appears. 
2. Atthe DOS prompt, type IPINIT -f. 
3. Press Enter. 


Result: The expanded IP Initialization Program Menu appears 
(Figure B-2). 


a 


Network General IP initialization program. Version 0.27 
(C) Copyright 1991, Network General Corporation 
Using wintcp info file C:\CONSOLE\wintcp\wintcp.sys 


If you change any settings, this system will optionally reboot when you quit. 


Ipinit commands (and current settings) : 
address - Set IP address [currently set to 0.0.0.8] 
connections - Set number of connections [currently set to 32] 
subnet = - Set IP subnet mask Ccurrently set to 9.8.0.0] 
gateway - Set default IP Gateway {currently set to 8.9.8.8] 
targets - Set SNMP trap targets {currently set to none] 
window - Set TCP window multiple(#*mss) [currently set to 3] 
help - Display this menu 
quit - Exit to DOS 
update §_- Save changes 


Hit any key (within 5 seconds) if you want to change anything: 
Ipinit> 


Figure B-2. Expanded TCP/IP Initialization Program Menu. 


4. Type the appropriate Ipinit command for the setting you want 
to change (i.e., connections or window). 


“on 
c 


Note: As a shortcut, you can type “c” for connections and “w” 


for window. 

Press Enter. 

Follow the instructions that appear to change the setting. 
When finished, type update or “u.” 


Press Enter. 


CP Onn 


Type quit or “q.” 

10. Press Enter. 

Result: The DOS prompt reappears. You will be prompted as to 
whether or not you want to reboot. You need to reboot for the 


changes to take effect. If you do reboot, you'll need to 
reconnect. 


11. Ifyou didn’t reboot, you can return to the Main Selection Menu 
by typing MENU at the DOS prompt. 


12. Press Enter. 


Result: The Main Selection Menu reappears. 
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PING Utility 


You can use a tool called PING for TCP/IP Distributed Sniffer System 
testing and management. PING is an echo request program that uses 
the Internet Control Message Protocol (ICMP). Its primary use is to 

determine the operating status of specific IP addresses on the system. 


One typical scenario for using PING is when you want to check to 
make sure that you are getting traffic out from the console through a 
router to a server and then getting a reply back. What you can do is to 
first try a workstation on the console side of the router. Next try the 
card of the router itself. Then send a PING through the router to 
workstations on the other side of the router. 


Another scenario is asymmetrical where you can PING successfully 
one way but replies do not get back through. For example, routers 
could have been set up to filter on an IP address one way but not the 
other. In this case, you can have someone at the other end PING back 
to you. Again, use the strategy described above: PING locally, then to 
the interconnection device, and then through the interconnection 
device. 


To use PING to check IP address status: 
1. Exit to the console’s DOS command line: 
a. Use the Cursor keys to highlight Exit in the Main Menu. 


b. Press Enter. 


Result: The DOS command line appears. 


2. Atthe DOS prompt, type 
PING IPaddress [-s] [-z] [-n] [-t] [-o] [-i] 
For example, 
PING 89.0.0.56 


Note: There are a variety of command-line options available: 
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[Option | Option Name 
Sends request datagrams to a server 
continuously until you press a key. If 
the datagrams do not stop, type “q” to 
quit. 

-Z datasize 
each request datagram. Maximum is 
512 bytes. Default is 64 bytes. 
packets Specifies how many request datagrams 
to send. 
time Specifies in seconds the length of time 
to send datagrams. Console will send 
as many as possible, given the value for 


-i interval. 
Figure B-3. Command-line options for the PING utility. 


Specifies the number of bytes sent in 


Specifies in seconds the length of time 
for the console to wait for a response 
datagram. Default is 5 seconds. 


Specifies in seconds the length of the 
interval between each transmitted 
request datagram. Default is 1 second. 


3. Press Enter. 


Result: A message appears on the screen indicating that the 
unit with the IP address is operating. 


4. To return to the console application, type CONSOLE at the 
DOS prompt. 


5. Press Enter. 


Result: The console’s main menu appears. 


NetBIOS Adapter Status Utility 


You can use the NetBIOS Adapter Status Utility, NBPING, for 
troubleshooting your Distributed Sniffer System much like PING. It 
comes already installed with your console software. The main 
purpose of the utility is to verify the presence of other NetBIOS 
stations on a network. When you invoke it, you will see a screenful of 
information about the adapter in the server to which you directed it: 
its permanent and software-selectable names, statistics, and local 
name table data. 


Figure B—3 shows an example of the adapter status and name table 
data retrieved by the NetBIOS Adapter Status Utility: 
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NetBios Adapter Status: 
Unit Id (hex) 
Version 
Reporting Period (mins) 
Collisions 
Aborted Transmits 
Packets Transmitted 
Packets Received 
Retransmissions 
Free NCBs 
Max. Configured NCBs 
Max. Total NCBs 
Pending Sessions 
Max. Configured Sessions 
Max. Total Sessions 
Max. Packet Size 
NetBios Names in Table 


16 68 5A 78 72 6D 
1.8 

2327 

8 


NetBios Name Table: 
Num: Type: Status: NetBios Name: 


602 Unique REG NGC18@85A78726D . 
C:\CONSOLE> 


Figure B-3. Example of data retrieved by NetBIOS Adapter Status Utility. 


As Figure B-3 shows, the data is displayed in two parts: NetBIOS 
Adapter Status and NetBIOS Name Table. The sections below 
describe each data category. 


NetBIOS Adapter Status Data 


Unit ID A number assigned the adapter during 
manufacturing. It is the last six bytes of 
the permanent node name. 


Version Software version number of the 
NetBIOS release. 
Reporting Period Number of minutes during which 


adapter statistics have been collected. 
The counter is reset only by a power- 
on reset, and it does roll over when it 
reaches maximum count. 


Collisions Number of collisions detected during 
datagram transmissions since counter 
reset or turned over. 


Aborted Transmits Number of datagram transmissions 
stopped by the adapter since counter 
reset or turned over. 


Packets Transmitted Number of packets successfully 
transmitted since counter reset or 
turned over. 


Packets Received 


Retransmissions 


Free NCBs 


Max. Configured NCBs 
Max. Total NCBs 


Pending Sessions 


Max. Configured Sessions 


Max. Total Sessions 


Max. Packet Size 
NetBIOS Names in Table 


NetBIOS Name Table 


Num 


Type 


Number of packets successfully 
received since counter reset or turned 
over. 


Number of retransmissions of remote 
adapter status calls that have occurred 
since counter reset or turned over. 


Number of available Network Control 
Blocks (NCBs) not in use. An NCB is a 
block of memory containing 
information about a command passed 
to NetBIOS. 


Number of NCBs configured during 
initial NetBIOS configuration. 


Number of NCBs allowed by last 
RESET command. 


Number of sessions currently 
pending. A “session” is a reliable two- 
way connection between two names 
on the network. A server can have up 
to two sessions (with each of two 
consoles) at one time. 


Number of sessions configured during 
initial NetBIOS configuration. The 
Distributed Sniffer System allows only 
two. 


Number of sessions allowed by last 
RESET command. 


Maximum session data packet size. 


Number of NetBIOS names currently 
registered in the local names table. 


Name number. Used by many 
NetBIOS commands as a quick way of 
referring to aname known to be in the 
local names table. 


Type of name. An adapter reserves a 
“unique” name for its exclusive use on 
the network. Other adapters can use a 
“group name.” 
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Status 


Current status of the name entry. The 
statuses are: attempting to register 
name, name registered, name de- 
registered, name duplicated, and 
name duplicated but de-registration 
pending. 


NetBIOS Name Software-selectable name. This name 


can be recognized on the network. 
NGC supplies each adapter with a 
name at the factory. When a user 
substitutes another name when 
configuring a server, the new name 
takes the place of this name. 


To use NBPING to check adapter status: 


Bs 


Exit to the console’s DOS command line: 
a. Use the Cursor keys to highlight Exit in the Main Menu. 
b. Press Enter. 


Result: The DOS command line appears. 


Change to the directory with NBPING. Are you attached to an 
Ethernet or a token ring? 


* If Ethernet, type at the DOS prompt 
C:\CD\CONSOLE \IPXEN 

* If token ring, type at the DOS prompt 
C:\CD\CONSOLE\IPXTR 

At the DOS prompt, type 

NBPING NAME=NetbiosName [HEX] [SEC] 


Note: NetBIOS names are case-sensitive. You can use the 
permanent node name in place of the NetBIOS name, but it 
requires special notation. You must enclose the hex digits of 
the permanent node name in brackets: 


[XXXXXXAXAXAXXXX] 


The HEX parameter displays the name in hexadecimal. The 
SEC parameter accesses the secondary adapter. 


Press Enter. 


Result: NBPING returns the statistics display (Figure B-3). 


To return to the console application, type CONSOLE at the 
DOS prompt. 


Press Enter. 


Result: The console’s main menu appears. 


IOFORK.SYS Utility 


v) 


The IOFORK.SYS utility is specified in the CONFIG.SYS file and is 
used when configuring TCP/IP servers from a serial device at their 
local serial port (see “Configuring TCP/IP” on page 3-6) and for 
troubleshooting on all servers. You probably will never have to adjust 
IOFORK.SYS, but if you do, we provide a description of how you can 
do that. 


You can create serious problems when inappropriate changes are 
made that conflict with other portions of the server. 


The command line in CONFIG.SYS would look like this: 
DEVICE=\TOOLS\IOFORK COM#:Speed Parity ,Databits Stopbits 


# COM port number. Use 1 or 2. 

Speed Baud rate. Enter only the first two digits of the speed. 
Speeds support are 300, 1200, 2400, 4800, 9600, and 
19.2K. 

Parity Parity may be O, E, and N for “odd,” “even,” or “no 
parity.” 

Databits Databits may be 5 to 8. 

Stopbits Stopbits may be 1 or 2. 


An example would be: 
DEVICE=IOFORK COM2:48,0,7,2 


The example sets IOFORK.SYS to use COM port 2, baud rate 4800, 
odd parity, 7 data bits, and 2 stop bits. 


The COM port and speed are required on the command line; 
however, the other trailing parameters may be changed or omitted. 
NGC sets the parameters at 9600 baud rate, no parity, 8 data bits, and 
1 stop bit in CONFIG.SYS. 


You can use COM ports other than 1 or 2. IOFORK.SYS allows the 
interrupt vector and IO base for its COM1 UART (Universal 
Asynchronous Receiver Transmitter) table to be overwritten from the 
command line. The commands for setting these are IRQ:x and 
BASE:xxxx. The interrupts can be 0 to 7; the IO base can be 200 to FFFF 
(hex). An example would be: 


DEVICE=\TOOLS\IOFORK.SYS IRQ:5 BASE:02F8 COM1:96 


The example configures IOFORK.SYS to use a UART at interrupt 
vector 5 and IO base 02F8 (hex). 
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General 


Appendix C. Server Configuration Record 


Starting a Server Configuration Record 


Each server in your Distributed Sniffer System needs to be well- 
documented for both the maintenance of the system as well as to track 
the changes you will inevitably make to it. 


You may already have a network documentation system that works 
well for you. In that case, you may find the form contained herein 
helpful in developing any modification to your current system made 
necessary by installing a Distributed Sniffer System. 


If you want a separate record-keeping system specifically geared for 
the Distributed Sniffer System, then you may want to adopt the 
configuration form contained in this appendix. 


The “Server Configuration Form” on page C-4 is a sample form you 
can use to document a server's configuration. The fields on the form 
represent the most important configuration information based on 
NGC’s experience with the Distributed Sniffer System products. 


We also recommend that you maintain an up-to-date map of your 
system. Be sure to note: 


* Specific servers observing the different segments, rings, and 
links 


* Consoles controlling specific servers 


¢ Interconnection devices and their addresses. 
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Server Configuration Form 


IP/NetBIOS Address 


IP/NetBIOS address 


Slee? oer 


[ ] NetBIOS/IPX 


Configuration Parameters 


ie NetBIOS /NetBEUI 


Configuration Parameters 


[ ] TCP/IP Defaults 
IP 0.0.0.0 
Subnet Mask 24 bits (255.255.255.0) 
Default Gateway 0.0.0.0 
SNMP Trap Targets 
IP Address Community Name 
IP Address Community Name 
IP Address Community Name 
IP Address Community Name 
IP Address Community Name 
IP Address Community Name 


Transport Card Monitor Card 
[_]Token ring [_]4 Mbps [_] 16 Mbps [_] Tokenring [_] 4Mbps [_] 16 Mbps 
J Ethernet [] Thick [_] Thin ie Ethernet [_] Thick [ ] Thin 
Hardware [ ] WAN 
address 
Jumper / Hardware 
switch address 
settings Jumper/ 
switch 
settings 


= 
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